Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Friday, July 11th, 2025: SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9522.mp3

SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches;
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
SSH Tunneling in Action: direct-tcp requests
Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks.
https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Action%3A%20direct-tcp%20requests%20%5BGuest%20Diary%5D/32094
Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257)
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
https://www.fortiguard.com/psirt/FG-IR-25-151
Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities
Ruckus products suffer from a number of critical vulnerabilities. There is no patch available, and users are advised to restrict access to the vulnerable admin interface.
https://kb.cert.org/vuls/id/613753
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Friday, July 11th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today's episode, which is brought to you by the SANS.edu Graduate Certificate Program in Penetration Testing and Ethical Hacking, is recorded in Jacksonville, Florida. In diaries today we have yet again one of our undergraduate interns with the SANS.edu BACS program, right up an observation from Honeypot. This particular one comes from Sihui Neo and it does show how attackers are abusing, well, Open SSH servers. In this case, weak passwords are typically used in order to penetrate the SSH server, but the attacker here is actually kind of leaving the SSH server alone. It's only using the SSH server to then set up SSH tunnels to other systems. And in this particular case, one of the top targets that attackers were after was a mail server with Yandex. Yandex being a large Russian ISP, which also operates a very large web mail system. So they're probably going to send some kind of spam to this particular mail server. This is a rather common technique to use a compromised SSH server as a proxy, essentially, to forward requests that obfuscates the actual source of the attack. Sometimes they can also be sort of daisy-chained, where you have multiple proxies like this in order to further obfuscate the actual source of the attack. In the past, even nation-state actors have sometimes used this technique via compromised home systems, home routers and the like, in order to, again, obfuscate their track. And yet another reason why usually country blocks and the like are not really helping against any of the little bit more sophisticated attackers. And then before I forget it again, I intended to cover this yesterday already, but, well, I didn't quite make it. FortiGuard released an advisory alerting its users of a critical vulnerability in the FortiWeb application. It's a SQL injection vulnerability, doesn't require any authentication to exploit, and provides the attacker with full access to the database. CVSS score here is 9.6, underlining the criticality of this particular vulnerability. So please patch quickly. Haven't seen an exploit yet for it, but there may already be one out there. Haven't really looked that closely. And then we also have an advisory for Ruckus Virtual Smart Zone and Ruckus Network Director. That's the management component behind the Ruckus networking equipment. And this advisory comes from cert.org, not from Ruckus themselves, because, well, there are no patches available for these vulnerabilities. If you look at the list of vulnerabilities, they are pretty much sort of everything you expect from expensive network equipment, like hard -coded secret and SH keys that are well-known and authenticated arbitrary file read. So remote code execution vulnerabilities. Pretty much anything you can sort of imagine. I think they sort of try to check off the OWASP top 10 here to really give you good value for your money. Block access to these admin interfaces, that's always a good idea. So not just for Ruckus for any equipment like this. Admin interfaces should never be exposed because they all tend to be pretty crappy. And AMD released an advisory. Well, this one is about another issue with patches not being released. AMD has released an update that solves a TPM attestation failure issue with recent versions of Windows. The Trusted Platform module is used to, well, in this example, Adair mentioned, for example, with games to prevent cheating and the like. That's sort of where the attestation here comes in. The problem is that some motherboard manufacturers apparently didn't distribute the firmware update necessary to fix this attestation failure issue. And as a result, affected motherboards will show this behavior where you have problems with your Windows system that may not boot. And also with games, like it says here, not being properly able to validate the integrity of their software. There is a list here of the different versions of the firmware, what's vulnerable, what's not vulnerable here. And also hints how to test if your particular motherboard is vulnerable. If you run it as issued, there is a recovery method. They're also outlining here, but it does require physical access to the system. So it isn't really all that easy. In particular, if you have BitLocker enabled, you sort of need your recovery key and the like in order to get your system working again. Well, and that's it for today. So thanks again for listening. And next week, of course, I'll be at Science Fire in DC. If you run into me, I always keep some Inite Storm Center stickers on me. I'll also do a keynote on Wednesday, I believe. But double check once you're on site. Sometimes things sort of shift around a little bit or I just don't remember correctly. So thanks for listening and talk to you again on Monday. Bye.