Podcast Detail

SANS Stormcast Friday, July 18th, 2025: Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9532.mp3

previous
Podcast Logo
Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches
00:00

Hiding Payloads in Linux Extended File Attributes
Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data.
https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116

Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282
An unauthenticated user may execute arbitrary code as root across the network due to improperly validated data in Cisco’s Identity Services Engine.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

Oracle Critical Patch Update
Oracle patched 309 flaws across 111 products. 9 of these vulnerabilities have a critical CVSS score of 9.0 or higher.
https://www.oracle.com/security-alerts/cpujul2025.html

Broadcom releases VMware Updates
Broadcom fixed a number of vulnerabilities for ESXi, Workstation, Fusion, and Tools.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

Podcast Transcript

 Hello and welcome to the Friday, July 18, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Washington, D.C.
 And this episode is brought to you by the SANS.edu Graduate
 Certificate Program in Purple Team Operations. Well, after
 spending maybe a little bit too much time with alternate
 data streams, Xavier decided to look at the Linux side of
 this particular problem and figure out how something
 similar can be done in Linux. Of course, Linux does not have
 alternate data streams, but it has something a little bit
 similar, extended attributes. Extended attributes can be
 used for things like Mark off the Web, just like in Windows
 with alternate data streams. It can also be used to, for
 example, encode POSIX X -ACLS, which is one of the
 probably more common uses of X -attr or extended attributes.
 Xavier implemented a little script that can be used to
 take some data, then BASE-64 encode it and split it up
 across different files and append it as extended
 attributes. He also wrote a script to then retrieve the
 data again. So that's pretty much all you need to then hide
 data in extended attributes. Extended attributes can also
 be just searched for and that's another thing that
 Xavier wrote, a little script to find files with extended
 attributes. Basically, he lists the name of these
 extended attributes as well as the content to allow you to
 double check if, well, these are normal, like, for example,
 POSIX ACLs or if this may be some malware hiding data in
 this particular file. And Cisco patched a critical
 vulnerability in its Identity Services Engine or ISE as well
 as ISE PIC and this vulnerability allows an
 unauthenticated user to gain arbitrary code execution
 across the network as root. So it gets the full 10 out of 10
 for a CVSS score. This vulnerability is related to
 the API that's implemented in the Identity Services Engine
 and, well, there's not a lot of detail available at this
 point but it just states that input to the API is not
 properly validated. And Oracle released its quarterly
 critical patch update. This particular update fixed 309
 different vulnerabilities. Apparently, nine of these are
 considered critical and we do have 144 that are considered
 at least high based on the CVSS score, being between 7.0
 and 8.9. Now, it's a lot of vulnerabilities but it's also
 understood that this applies across the entire Oracle
 portfolio. There are about 111 affected products for these
 particular vulnerabilities. I sort of browsed through it a
 little bit. I saw quite a number of vulnerabilities like
 that are related, for example, to the Apache Beans library.
 The Beans utility library has had once in the past and what
 Oracle is doing here is just updating this component across
 its products. Also, some Apache Tomcat and Apache Mina
 vulnerabilities that are being addressed in this update. The
 issue with some of these open source vulnerabilities is that
 they have been around, they have been known for a while.
 So, Oracle is playing a little bit catch up here and it is
 very possible that they already exploits under
 development or have been released for these
 vulnerabilities. They may just not have been adapted for
 these particular Oracle products. So, there is a
 chance that exploit development could happen
 pretty quickly. And Broadcom released updates for its
 VMware portfolio. VMware ESXi, Workstation Fusion, as well as
 VMware tools are affected. Many of the vulnerabilities do
 allow VMware escape but do require that an attacker has
 administrative privileges on the affected virtual machine.
 These types of vulnerabilities are often of concern to
 malware reverse engineers that may run malware inside virtual
 machines. But, of course, this is also something an attacker
 could use to escalate privileges into lateral
 movement in any kind of corporate VMware setup. Well,
 and this is it for today. So, thanks for listening. Thanks
 for subscribing. Thanks for leaving good comments for this
 podcast in your favorite podcast platform. And talk to
 you again on Monday. Bye.