Podcast Detail

SANS Stormcast Wednesday, January 7th, 2026: Tailsnitch Review; D-Link DSL EoL Vuln; TOTOLINK Unpatched Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9756.mp3

previous
Podcast Logo
Tailsnitch Review; D-Link DSL EoL Vuln; TOTOLINK Unpatched Vuln
00:00

Tool Review: Tailsnitch
Tailsnitch is a tool to audit your Tailscale configuration. It does a comprehensive analysis of your configuration and suggests (or even applies) fixes.
https://isc.sans.edu/diary/Tool%20Review%3A%20Tailsnitch/32602

D-Link DSL Command Injection via DNS Configuration Endpoint
A new vulnerability in very old D-Link DSL modems is currently being exploited.
https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint


TOTOLINK EX200 firmware-upload error handling can activate an unauthenticated root telnet service
TOTOLINK extenders may start a telnet server and allow unauthenticated access if a firmware update fails.
https://kb.cert.org/vuls/id/295169

Podcast Transcript

 Hello and welcome to the Wednesday, January 7th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Master's Degree Program in Information
 Security Engineering. Yesterday, I briefly mentioned
 the tool TailSnitch. I just got across it yesterday and I
 thought it was interesting in particular, since yesterday I
 talked sort of about KVMs, the remote access that often uses
 TailScale VPNs. Well, today I took a little bit time to
 closer look at TailSnitch and it's a pretty impressive and
 useful tool. So the goal of TailSnitch is to audit your
 TailScale configuration. TailScale itself, it's a
 pretty solid system as far as VPNs go, but of course a lot
 of it also depends on how you configure it. And TailSnitch
 will point out some of the possible misconfigurations
 that you're running into. And yes, it does this very well.
 It's very comprehensive, the tool. In my case, it found two
 systems that I had that had an old version of TailScale
 running. So basically, auto update wasn't configured
 correctly. Fix that and that's something nice to point out.
 It also points out things like, for example, access
 tokens that you issued and set to not expire. In my case, I
 intentionally did it that way. Overall, what I also find is
 that the severity levels it assigns, I think, are rather
 reasonable. A lot of tools like this tend to sort of, you
 know, a little bit overhype kind of some of the
 configuration issues that they're detecting. I haven't
 really seen this so far here in TailSnitch. It's also easy
 to install the tool. It comes as a binary, but you can also
 create it from source. It's written in Go. It's open
 source and free. And yes, certainly valuable if you're
 running TailScale to occasionally use this tool.
 There are two modes you can run it in. You can run it sort
 of in a detection only mode. And that's what I did. In this
 case, it only needs read access to your configuration.
 There is an automatic fix option that I didn't play
 with. I was a little bit too scared for it to sort of mess
 up my network. But for a smaller network, I don't think
 that's necessary really to use the automatic fix option. It's
 probably better just not a couple issues it finds to
 manually address them. And then we do have a new
 vulnerability in very old equipment. And dealing DSL
 modems, some of them haven't been supported since 2013. And
 new vulnerability in those modems is now being exploited.
 The target here is the DNS configuration script, dnscfg
 .cgi. This has been a target of prior attacks. I looked
 through our database and we did have plenty of attacks
 going back sort of until 2010s kind of that tried to attempt
 to change the DNS configuration. This was a
 known issue where basically changing DNS configuration did
 not require authentication. That has been fixed. However,
 these new flaws, of course, given how old these devices
 are, will not be fixed. And these are code execution
 vulnerabilities. Very classic problem here where you have
 these scripts that update configuration files. If you
 aren't careful, well, then that can lead to OS command
 injection. And with that to command execution on the
 vulnerable device. This is certainly one of those things
 where you must replace the device. Given how old they
 are, I'm surprised they're still around. They're still
 working. If you really love the device for some of them,
 you can actually get OpenWrt. And with that sort of install
 an up-to-date firmware on the device. And talking about end
 -of-life devices with new vulnerabilities. The next one
 we have here is TOTOLink EX200 extender. This
 particular device suffers from an interesting vulnerability
 where an interrupted firmware update may actually trigger a
 Telnet server being started without authentication. I can
 see this sort of as a fail -safe feature where in case
 your firmware update fails, it starts up that Telnet server
 to allow you to fix any problems. It's not clear how
 easily this particular behavior is triggered
 inadvertently. But certainly one of those things that you
 want to check is, hey, is there a Telnet server running
 on my devices? A simple port scan of your network probably
 will tell you that pretty easily. No patches available
 for this. It doesn't appear that these devices are
 actually officially end-of -life. However, the last
 update released was in 2023. So with that, two plus years
 ago, I would probably call this device end-of-life at
 this point. Well, and this is it for today. So thanks for
 listening and thanks for liking. Thanks for
 subscribing. Remember, I do have that challenge. If you
 find mistakes in the podcast, let me know and I'll send you
 a sticker. So thanks and talk to you again tomorrow. Bye.
 Bye. Bye. Bye. Bye.