Podcast Detail

SANS Stormcast Friday, July 11th, 2025: SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9522.mp3

Podcast Logo
SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches;
00:00

SSH Tunneling in Action: direct-tcp requests
Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks.
https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Action%3A%20direct-tcp%20requests%20%5BGuest%20Diary%5D/32094

Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257)
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
https://www.fortiguard.com/psirt/FG-IR-25-151

Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities
Ruckus products suffer from a number of critical vulnerabilities. There is no patch available, and users are advised to restrict access to the vulnerable admin interface.
https://kb.cert.org/vuls/id/613753

Podcast Transcript

 Hello and welcome to the Friday, July 11th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today's episode, which is
 brought to you by the SANS.edu Graduate Certificate Program
 in Penetration Testing and Ethical Hacking, is recorded
 in Jacksonville, Florida. In diaries today we have yet
 again one of our undergraduate interns with the SANS.edu BACS
 program, right up an observation from Honeypot.
 This particular one comes from Sihui Neo and it does show how
 attackers are abusing, well, Open SSH servers. In this
 case, weak passwords are typically used in order to
 penetrate the SSH server, but the attacker here is actually
 kind of leaving the SSH server alone. It's only using the SSH
 server to then set up SSH tunnels to other systems. And
 in this particular case, one of the top targets that
 attackers were after was a mail server with Yandex.
 Yandex being a large Russian ISP, which also operates a
 very large web mail system. So they're probably going to send
 some kind of spam to this particular mail server. This
 is a rather common technique to use a compromised SSH
 server as a proxy, essentially, to forward
 requests that obfuscates the actual source of the attack.
 Sometimes they can also be sort of daisy-chained, where
 you have multiple proxies like this in order to further
 obfuscate the actual source of the attack. In the past, even
 nation-state actors have sometimes used this technique
 via compromised home systems, home routers and the like, in
 order to, again, obfuscate their track. And yet another
 reason why usually country blocks and the like are not
 really helping against any of the little bit more
 sophisticated attackers. And then before I forget it again,
 I intended to cover this yesterday already, but, well,
 I didn't quite make it. FortiGuard released an advisory
 alerting its users of a critical vulnerability in the
 FortiWeb application. It's a SQL injection vulnerability,
 doesn't require any authentication to exploit, and
 provides the attacker with full access to the database.
 CVSS score here is 9.6, underlining the criticality of
 this particular vulnerability. So please patch quickly.
 Haven't seen an exploit yet for it, but there may already
 be one out there. Haven't really looked that closely.
 And then we also have an advisory for Ruckus Virtual
 Smart Zone and Ruckus Network Director. That's the
 management component behind the Ruckus networking
 equipment. And this advisory comes from cert.org, not from
 Ruckus themselves, because, well, there are no patches
 available for these vulnerabilities. If you look
 at the list of vulnerabilities, they are
 pretty much sort of everything you expect from expensive
 network equipment, like hard -coded secret and SH keys that
 are well-known and authenticated arbitrary file
 read. So remote code execution vulnerabilities. Pretty much
 anything you can sort of imagine. I think they sort of
 try to check off the OWASP top 10 here to really give you
 good value for your money. Block access to these admin
 interfaces, that's always a good idea. So not just for
 Ruckus for any equipment like this. Admin interfaces should
 never be exposed because they all tend to be pretty crappy.
 And AMD released an advisory. Well, this one is about
 another issue with patches not being released. AMD has
 released an update that solves a TPM attestation failure
 issue with recent versions of Windows. The Trusted Platform
 module is used to, well, in this example, Adair mentioned,
 for example, with games to prevent cheating and the like.
 That's sort of where the attestation here comes in. The
 problem is that some motherboard manufacturers
 apparently didn't distribute the firmware update necessary
 to fix this attestation failure issue. And as a
 result, affected motherboards will show this behavior where
 you have problems with your Windows system that may not
 boot. And also with games, like it says here, not being
 properly able to validate the integrity of their software.
 There is a list here of the different versions of the
 firmware, what's vulnerable, what's not vulnerable here.
 And also hints how to test if your particular motherboard is
 vulnerable. If you run it as issued, there is a recovery
 method. They're also outlining here, but it does require
 physical access to the system. So it isn't really all that
 easy. In particular, if you have BitLocker enabled, you
 sort of need your recovery key and the like in order to get
 your system working again. Well, and that's it for today.
 So thanks again for listening. And next week, of course, I'll
 be at Science Fire in DC. If you run into me, I always keep
 some Inite Storm Center stickers on me. I'll also do a
 keynote on Wednesday, I believe. But double check once
 you're on site. Sometimes things sort of shift around a
 little bit or I just don't remember correctly. So thanks
 for listening and talk to you again on Monday. Bye.