SANS Stormcast Friday, June 5th, 2026: Coreutils for Windows; Cisco Unified Comm Manager Fix and Exploit; OAuth Orphans

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9960.mp3

previous

Coreutils for Windows; Cisco Unified Comm Manager Fix and Exploit; OAuth Orphans

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday June 5th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 graduate certificate program in incident response. Well,
 today's diary is not sort of a core security topic, but well,
 it's about Microsoft's core utils for Windows. And that's
 a utility that's probably quite useful for many of you
 if you're used to the Unix command line and all of the
 little tools that usually come with that. Well, Windows now
 does have the same commands available thanks to Microsoft
 releasing core utils. Now, the approach they're taking here
 is a little bit like what you often see with Busybox that's
 like often used on an IoT device and such, but you have
 one binary, but then the assembly links, you can call
 it under multiple names. And depending on what name you
 use, well, it behaves different. It basically then
 emulates whatever command you're trying to execute. That
 of course also has the advantage with just one
 binary. It's a little bit easier to manage this. This
 binary is of course, properly signed, which is another nice
 advantage over, for example, some of the open source
 solutions and such that are a bit more difficult to
 validate. So give it a spin and well, let us know how you
 made use of these utilities. And Cisco yesterday released a
 noteworthy patch for a critical vulnerability in
 Cisco's Unified Communication Manager. This is a server side
 request for jury vulnerability. What
 essentially allows you to do is use the server as a proxy
 in this particular case. This will then allow you to write
 arbitrary files. In writing arbitrary files, you'll be
 able to do things like dropping web shells and the
 like and essentially escalate privileges in the system. You
 must be authenticated. That's why the CVSS score is only 8
 .6. But any user with access should work. Oh, and an
 exploit has already been made public for this vulnerability.
 And Acre released an update for its Connect series of
 routers. Well, there are two vulnerabilities in particular
 that are somewhat concerning here. First of all, an
 authentication protocol verification issue that allows
 essentially bypassing of authentication checks. It
 talks here about some mishandling of HTTP
 authorization headers. Not 100 % sure how this will be
 exploitable, but once people have done the diffing of their
 firmware, it'll probably be pretty obvious what went wrong
 here. So that particular vulnerability certainly is of
 concern. The second CVSS score 10 vulnerability is an MQTT
 payload sanitization issue. Not sure how this is exactly
 exposed here in this particular router, but in
 particular, if MQTT can be directly reached or maybe some
 messages being sent to the router will then be passed on
 to MQTT. Well, in that case, this is again also a quite
 concerning vulnerability as it does allow arbitrary code
 execution. So get your routers patched. And just a reminder,
 even if you don't run an Acre router, well, just double
 check your particular router and make sure it's firm is up
 to date. Something that you probably should do at least
 once a month. And Health Net Security has a good article
 summarizing research done by Offroad, an identity
 management company. They call their report OhAuth, where O is
 spelled with O-H. So you can see that the O-H. But what
 it's really about is that once you give permissions via OAuth
 to a particular application, those permissions typically
 persist. And you have at that point then a little control
 really over those permissions, in particular, if the company
 itself ceases to exist. And then assets like domains and
 other assets that identify the company may become freely open
 for resale. And with the popularity of OAuth, that of
 course is sort of a bigger and bigger problem. The issue with
 OAuth overall isn't so much the technology behind it. It
 uses very sophisticated and nicely done sort of
 cryptography for everything. But there are a lot of sort of
 usability issues around OAuth where users often don't
 necessarily realize what the particular OAuth authorization
 that they're handing out here actually means. And that has
 been a problem in the past. And of course, as there are
 more and more applications using OAuth and more and more
 of the companies that requested these authorizations
 are then going out of business, this is likely going
 to be a bigger and bigger problem. In particular, and
 that's I guess sort of where the commercial part of off
 -road here comes in. Where it's difficult and in
 particular for an enterprise to actually inventory and
 catalog all of these OAuth grants. Which are really the
 same thing as you know, API keys and other authentication
 tokens that must be somehow controlled and inventoried.
 Well, and this is it for today. So thanks for
 listening. Thanks for liking. Thanks for subscribing. And
 talk to you again on Monday. Bye.