SANS Stormcast Wednesday, November 12th, 2025: Microsoft Patch Tuesday; Gladinet Triofox Vulnerability; SAP Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9696.mp3

previous

Microsoft Patch Tuesday; Gladinet Triofox Vulnerability; SAP Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, November 12, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. And of course, today we have to start
 with Microsoft's patch Tuesday. Microsoft patched,
 according to our account, 80 different vulnerabilities.
 Seen others come up with 60 something vulnerabilities.
 Again, that all depends on what you're exactly counting
 here, if some of the Edge vulnerabilities are really
 chromium vulnerabilities are being included or not. But
 either way, we got one vulnerability that is actually
 actively being exploited and five that Microsoft rated
 critical. So first, let's start with the actively
 exploited vulnerability. That's actually just an
 important vulnerability. It's a privileged escalation
 vulnerability in the Windows kernel. We had plenty of them
 before, so wouldn't really get too overly excited about them.
 They're usually parts of more complex attack chains. But by
 themselves, these vulnerabilities, because we
 had so many of them in the past, are relatively
 straightforward to exploit for an attacker. Looking at some
 of the critical vulnerabilities, we do have a
 remote code execution vulnerability in GDI+. The
 reason I emphasize this one particular is because pretty
 much any image being rendered at some point goes through
 GDI+. So there's a huge attack surface here. And this is
 definitely a vulnerability that you need to watch. There
 was also a second, a little bit similar vulnerability, a
 DirectX vulnerability that Microsoft calls a privilege
 escalation issue, but still rates it as critical, which is
 a little bit unusual. Usually privilege escalation is
 important, but of course, all depends on the details. We
 also got critical vulnerabilities in Microsoft
 Office. Again, big attack surface here. So definitely a
 vulnerability to watch. Overall, this Patch Tuesday
 was, I think, a little bit lighter than sort of an
 average Patch Tuesday, even though we did have, yes, a
 Zero Day. But like I said, it's not really, to me at
 least, an exciting Sarah Day. And I would suggest you just
 apply these patches according to your vulnerability
 management procedure. Don't do anything special here. There's
 no reason to rush it out, which of course always has its
 own risks associated with it. But then let's talk a little
 bit about vulnerabilities that excite me a little bit more.
 And one of them is in Gladinet's TrioFox file
 sharing and remote admin tool. This tool was found to be
 vulnerable during an incident response that Mandiant
 conducted. So this is an already exploited
 vulnerability. The big issue here is that this TrioFox
 server includes code that will consider all code or all
 requests as trusted if the host name is localhost. So
 this is a pretty stupid decision, of course. And yet
 again, one of those cases where headers are being
 trusted that never should be trusted because they come from
 users. And we all know all users are evil. Using this
 spoofed host header, an attacker is able to access the
 admin database page. This page then allows them to add
 themselves as an administrator to the system. Once they're an
 administrator, they're able to reconfigure the antivirus
 setup for TrioFox. Nice. They actually have an antivirus
 feature built in and it allows an administrator to basically
 pick different antivirus engines and also upload their
 own binary to act sort of as an antivirus scanner. So the
 attacker now uploads a binary, then configures it as an
 antivirus scanner, which will mean they now have arbitrary
 code execution on the system. So interesting exploit chain,
 but really the fundamental vulnerability is not that the
 administrator can run code. That's a feature and that's a
 legitimate feature here. But the problem is that they are
 just simply trusting the host header, which never should be
 trusted. And talking about miscellaneous vulnerabilities,
 well, we got updates for Ivanti endpoint manager,
 friend of the show, doesn't disappoint here with a path
 traversal vulnerability that allows an unauthenticated
 attacker to achieve remote code execution by enabling
 arbitrary file rights. There is user interaction required
 here, which is why this does not get us the complete 10.0
 CVSS score, but only 8.8. There is essentially the attacker
 needs to trick the user to do a malicious file import here,
 in order for the attack to work. Not sure how you would
 trick this, not familiar enough with this product to
 really know how to exploit this vulnerability, but
 typically some kind of phishing email or something
 like this, some social engineering, maybe all that's
 needed here in order to get full access to your Ivanti
 endpoint manager. Well, and this is it for today. So
 thanks again for listening. Thanks for liking. Thanks for
 subscribing to this podcast. I think on YouTube. We just hit
 now 5,000 subscribers. So people are looking at the
 video version as well. Thanks for that. And talk to you
 again tomorrow. Bye.