SANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9582.mp3

previous

The -n switch; Commvault Exploit; Docker Desktop Escape Vuln;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, August 22, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Baltimore, Maryland. And this episode is brought to you by
 the SANS.edu graduate certificate program in
 incident response. Well, today's diary by Xavier
 actually is just about a topic that I covered today in class.
 And that's the use of the -n switch in many, many packet
 utilities like a tcpdump, a tshark and the like. It's one
 of those few cases that the switch is actually fairly
 standardized. And that switch -n typically means that
 any IP addresses are not reversed or resolved. Oddly
 enough, tcpdump does it by default without the -n
 switch, which of course is risky from an OPSEC point of
 view, because the attacker will often receive these
 requests because they're in charge of the IP address space
 from which the request originates. So they may
 actually have access to the authoritative name server for
 that particular subnet. I personally actually like the
 Wireshark solution best. Wireshark is able to parse the
 packet capture for any DNS requests that were already
 captured and use them to basically build a lookup table
 for IP address and host names. That's actually quite neat
 because it also does it then at the time the packet capture
 was collected, not days later or weeks later when of course
 these relationships may have changed. So keep that in mind.
 -n, important switch for many, many tools and Xavier is
 doing a little bit more detail about which tools are covered
 here and also about some of the risks that you are
 exposing yourself if you're not doing the -n switch.
 Well, for users of Commvault, your data
 resilient solution may not be as secure or resilient as the
 vendor may do believe. watchTwer has a great write
 -up in its usual somewhat funny and tongue-in-cheek style
 showing how several new vulnerabilities can be used to
 essentially compromise this product. Some interesting
 things like for example command injection in the login
 process can be used to bypass authentication and then
 additional vulnerabilities can later be used for arbitrary
 remote code execution. Interesting set of
 vulnerabilities definitely if you're into developing sort of
 these complex web applications some good lessons to learn
 from these particular mistakes. So definitely take a
 look at that if you are developing authentication
 processes and such. Even if you're not a Commvault user
 just better to learn from someone else's mistake than
 making them yourself. And for everybody using Commvault well
 better patch and patch quickly. And Docker released a
 new version of Docker desktop fixing a critical
 vulnerability in Docker desktop. This vulnerability
 could allow container escape where an attacker who's
 running code inside a container could use the access
 to actually then attack the host the container is running
 on. Again, this depends on also using Docker desktop and
 of course as usual it's particularly important for
 people using containers for malware analysis or even for
 doing things. And that is often done like for example
 sanitizing any files before they're being used and relying
 on the container to actually provide some additional
 security. Well, and that's it for today. So thanks for
 listening. Thanks for liking and recommending this podcast.
 Thanks for subscribing and talk to you again on Monday.
 Bye.