Podcast Detail

SANS Stormcast Friday, June 6th, 2025: Fake Zoom Clients; Python tarfile vulnerability; HPE Insight Remote Support Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9482.mp3

previous
Podcast Logo
Fake Zoom Clients; Python tarfile vulnerability; HPE Insight Remote Support Patch
00:00

Be Careful With Fake Zoom Client Downloads
Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an “update” to the Zoom client.
https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014

Python tarfile Vulnerability
Recently, the Python tarfile module introduced a “filter” option to help mitigate some of the insecure behavior common to software unpacking archives. This filter is, however, not working quite as well as it should.
https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/

Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability
HP fixed, among other vulnerabilities, a critical remote code execution vulnerability in Insight Remote Support (IRS)
https://www.zerodayinitiative.com/advisories/ZDI-25-325/

Podcast Transcript

 Hello and welcome to the Friday, June 6, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and this episode brought to you by the
 SANS.edu Graduate Certificate Program in Cybersecurity
 Engineering is recorded in Jacksonville, Florida. Well,
 in Diaries today we have an interesting one from Xavier
 who ran into a, well, a scam involving Zoom in this case.
 The scam arrived as an email. The email was a fake invite
 for a Zoom meeting. Now, that overall looked legit, has the
 right layout, right format. And then if you click on the
 link to join the actual meeting, you'll be greeted
 with, well, an update notice that your Zoom client is out
 of date and you need to update it. That's something like this
 I've definitely seen in other online meeting software where
 you try to join a meeting, you haven't used a particular
 client in a while because there are so many of them out
 there that you're presented with a notice like this that
 you should update your client. And that would be certainly
 something that a user could easily fall for, in particular
 if you sort of created that urgency of having to join this
 meeting right now, not really being able to wait, just want
 to get started, want to download that client and get
 going. Interesting scam here. Certainly something to
 probably throw into some kind of awareness presentation.
 Well, and then we have a new vulnerability in the Python
 tar file module. That module has had issues in the past and
 there are some fundamental problems whenever you are
 trying to extract files from something like a tar file or a
 zip file. And that's usually related to the fact that you
 may create arbitrary files, additional directories that
 you don't necessarily intend or want to have created. Now,
 in the past, there has been a little bit forth and back
 between the maintainer of the tar file modules and users,
 how much it's the responsibility of the tar file
 module, or how much it is the user, basically how they're
 using this module, who is to blame for any security issues
 around this. Well, in Python 3 .12, they added actually a new
 parameter called filter. And that basically constrains a
 little bit more what can happen with a tar file as it's
 being untarred. First of all, you have the option of fully
 trusted. That's kind of the old behavior where basically
 any file is being created, the permissions are being set and
 the like, essentially just like you're running the tar
 command on the command line. And then you have the tar
 feature here, the tar filter, and it will only honor tar
 specific filters. And then finally, you do have the data
 filter. That's sort of the more interesting one here. It
 allows you to extract any data, any files, but it does
 not adjust permissions. And with that, for example, it
 would evade some of the privilege escalation issues.
 Well, the problem is that apparently these particular
 features haven't been working correctly. And as a result, it
 did actually set permissions, even if you set the data
 filter. And well, that is also the default in the Python 3.14
 version. So update Python. And as usual, always be careful
 when you are extracting files like tar, zip, or any kind of
 compound file like this. And then we got updates from HP,
 HP Enterprise, inside remote support. This software suffers
 from a directory traversal that can then be leading to a
 remote code execution vulnerability. The
 vulnerability was originally identified by the Zeroday
 Initiative. I'll link in the show notes to the Zeroday
 Initiative description because it's a bit more specific than
 what HP put out. But essentially, an
 unauthenticated hacker is able to execute code as system.
 Well, that's it for today. And for those of you wondering,
 well, I'm mentioning all these graduate certificates and such
 lately at the beginning of each podcast. I just want to
 point out that sans.edu is actually an accredited
 college. And as part of this, we're offering master's
 degrees, bachelor's degrees, but we're also offering
 various certificate programs. Certificate programs are
 usually three, four different classes that you get at a
 substantial discount. Everything includes
 certifications. So you not only get the credit
 certificate, you also get the individual GIAC
 certifications. That's it for today. Thanks for listening
 and talk to you again on Monday. Bye.