Podcast Detail

SANS Stormcast: Securing the Edge; PostgreSQL Exploit; Ivanti Exploit; WinZip Vulnerablity; Xerox Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9328.mp3

previous
next
Podcast Logo
Securing the Edge; PostgreSQL Exploit; Ivanti Exploit; WinZip Vulnerablity; Xerox Patch
00:00

My Very Personal Guidance and Strategies to Protect Network Edge Devices
A quick summary to help you secure edge devices. This may be a bit opinionated, but these are the strategies that I find work and are actionable.
https://isc.sans.edu/diary/My%20Very%20Personal%20Guidance%20and%20Strategies%20to%20Protect%20Network%20Edge%20Devices/31660

PostgreSQL SQL Injection
A followup to yesterday's segment about the PostgreSQL vulnerability. Rapid7 released a Metasploit module to exploit the vulnerability.
https://github.com/rapid7/metasploit-framework/pull/19877

Ivanti Connect Secure Exploited
The Japanese CERT observed exploitation of January's Connect Secure vulnerability
https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html

WinZip Vulnerability
WinZip patched a buffer overflow vulenrability that may be triggered by malicious 7Z files
https://www.zerodayinitiative.com/advisories/ZDI-25-047/

Xerox Printer Patch
Xerox patched two vulnerabililites in its enterprise multifunction printers that may be exploited for lateral movement.
https://securitydocs.business.xerox.com/wp-content/uploads/2025/02/Xerox-Security-Bulletin-XRX25-003-for-Xerox-VersaLinkPhaser-and-WorkCentre.pdf



Podcast Transcript

 Hello and welcome to the Tuesday, February 18th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich and today I'm recording from
 Jacksonville, Florida. Well, today's diary was a little bit
 more of an opinion piece, but with a practical background.
 And that's we are seeing so many vulnerabilities in these
 edge devices. CISA and a couple of other international,
 also government agencies, did come up with their guidance. I
 found it a little bit too abstract in some ways, so I
 wanted to distill it down in particular with sort of a
 small, medium-sized business background. And what you can
 do to really make an impact here and reduce your attack
 surface. And that's really one of the big things is reduce
 your attack surface. Don't expose those admin interfaces.
 Expose as little as possible. Never expose a web application
 that you don't have to expose. Simple SSH access, maybe a VPN
 like OpenVPN or WireGuard or whatever your preferred VPN
 technology is. And even at that, you know, leave it at
 one VPN technology. Don't have like two or three exposed.
 That'll make life so much easier. And then, of course,
 patching and such follows. But that then becomes a little bit
 less important. And it's one of those things where you
 don't have to be quite behind it to really get stuff updated
 as quickly as possible if you're not exposing a lot of
 these vulnerable services. Well, take a look. Any
 feedback here is very welcome. If there is anything that you
 would do different or maybe rank here a little bit
 different, let me know. And then a little bit of an update
 to the Postgres vulnerability that I talked about yesterday.
 That vulnerability, well, there is a Metasploit module
 out for it. So consider it already being exploited.
 Forgot to mention that yesterday. But given that
 Rapid7, the original write-up and Rapid7 is the company
 behind Metasploit, no surprise that they also came out with a
 Metasploit module to exploit this vulnerability. And the
 Japanese cert is reporting that they're seeing exploits
 against vulnerability in Ivanti Insecure Connect. This
 vulnerability was originally disclosed and patched in
 January. The particular botnet that the Japanese cert is
 observing here, they're calling it Spawn, or this
 particular vulnerability Spawn Chimera is what they're
 calling it. Not sure if it goes by any other names. The
 advisory from the Japanese cert is only in Japanese. I'll
 still link to it, probably with Google Translate and
 such. You'll still be able to make sense of it.
 Interestingly, this particular exploit also patches the
 vulnerability for you. Now, it does not use the original
 patch. This particular vulnerability is a buffer
 overflow. So they're actually just hooking into the string
 and copy function, limiting it to 256 bytes. That way,
 they're preventing the buffer overflow from being exploited.
 And if you have more buffer overflow vulnerabilities in
 compression software, this time it's WinSIP's turn. When
 it decompresses 7-zip formatted compressed files, it
 may encounter a buffer overflow that then leads to
 arbitrary code execution. A patch was released. If you're
 running WinSIP version 29 or later, you should be good. And
 Xerox fixed a couple of vulnerabilities in its
 enterprise Brenners. We all love Brenners and the
 vulnerabilities they bring us. The one interesting
 vulnerability here, I think, is a credential interception
 vulnerability with SMB and FTP where essentially it's
 possible to intercept NTLM hashes. Patches are available
 for these Brenners. And again, these are over there,
 Enterprise class multifunction devices slash Brenners. Well,
 and that's it for today. Thanks for listening. A little
 bit shorter today. Just too cold here for the full five
 minutes. So thanks and talk to you again tomorrow. Bye.