Podcast Detail

SANS Stormcast Friday, March 13th, 2026: IOT Device Discovery; Apple Patches; Veeam Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9848.mp3

IOT Device Discovery; Apple Patches; Veeam Patches

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026

… more classes

When your IoT Device Logs in as Admin, It’s too Late!
https://isc.sans.edu/diary/When%20your%20IoT%20Device%20Logs%20in%20as%20Admin%2C%20It%3Fs%20too%20Late!%20%5BGuest%20Diary%5D/32788

Apple Patches
https://support.apple.com/en-us/100100

Veeam Patches
https://www.veeam.com/kb4830

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Online \| British Summer Time	Jul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Friday, March 2026 edition of
 the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 graduate certificate program in cybersecurity leadership.
 Well, and today we have another guest diary by one of
 our undergraduate interns. This time it's Adam Thorman
 talking about, well, detects to the honeypot. Yet again,
 SSH logins with default passwords, something attackers
 are finding very, very useful and successful. I mentioned it
 earlier this week with some of the attacks against webcams
 and such in connection with the military action in Iran.
 But overall, this is something that video organizations must
 get control over. And I think the biggest problem,
 particularly for these very simple issues, are sort of
 uncontrolled deployments of often consumer IoT devices.
 And well, in this example here, Adam talks about
 fingerprinting and how to discover some of these
 devices. And yes, Apple did it again. Apple released updates
 for fairly old iOS devices and iPads. This is going back to
 iPhone 6s, which was released in 2015. So about 10 years ago
 now that this device has been out. Now, the reason for the
 release of these two updates, one for iOS 15 and then
 another one for iOS 16 is that some of the vulnerabilities
 being patched here have been exploited in the Coruna
 activity. And that's essentially malware, spyware
 that has been deployed by more sophisticated and government
 -associated actors. The iOS 15 patch fixes four different
 vulnerabilities, one kernel vulnerability and then three
 webkit vulnerability. The iOS 16 update only patches one
 webkit vulnerability. So if you still have one of those
 old devices around, please update. As what we have seen
 in the past is that some of these more sophisticated
 vulnerabilities and exploits are sort of trickling down
 over the years. And this is not a terribly new
 vulnerability. It has been exploited as soon as September
 2023. So at this point already sort of a two and a half year
 old vulnerability. And Veeam released an update for its
 backup and replication suite. This particular update fixes
 five vulnerabilities, three of which are rated critical and
 two are rated high. It affects the version 12 of Veeam backup
 and replication. Among the critical vulnerabilities,
 there are two that do allow remote code execution on the
 backup server. However, they do require authenticated
 domain user, but then again only domain user. So no
 specific role required here. The third critical
 vulnerability is also a remote code execution vulnerability.
 It requires the backup viewer role in order to take
 advantage of this vulnerability. And then remote
 code execution happens as the Postgres user, which makes me
 believe that is probably some form of SQL injection fault
 here that is exploitable. So definitely get them updated.
 Like I said, yes, it requires authentication, but the actual
 authentication you need is not really that much of a
 threshold here. You really need just some domain users'
 credentials, which usually is obtainable. And then we have
 one more remote code execution vulnerability that does
 require authentication, this time in Splunk. Now, this
 particular vulnerability does require a higher privileged
 role. It does require the edit command capability. This is
 one of those things where you probably want to review
 whether or not all the users actually have that capability
 assigned, actually need it. And then it's roughly
 straightforward by using the unarchive command parameter in
 the parameter in the preview rest endpoint in order to
 execute arbitrary commands. This is sort of a typical
 issue where you are able to basically provide some command
 to preprocess a file, like in this case here for the preview
 capability, like for example, you know, decompress. But then
 it's always difficult to constrain what actual
 unarchive commands you are allowing in this particular
 case. Well, and this is it for today. So thanks again for
 listening. Thanks for liking and thanks for subscribing to
 this podcast. And as always, thanks for listening and talk
 to you again on Monday. Bye.
 Bye.