Podcast Detail

SANS Stormcast ThursdayApril 10th: Getting Past PyArmor; CenterStack RCE; Android 0-Day Patch; VMware Tanzu Patches; Odd Win11 Directory; WhatsApp File Confusion; SANS AI Guide;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9402.mp3

previous
Podcast Logo
Getting Past PyArmor; CenterStack RCE; Android 0-Day Patch; VMware Tanzu Patches; Odd Win11 Directory; WhatsApp File Confusion; SANS AI Guide;
00:00

Getting Past PyArmor
PyArmor is a python obfuscation tool used for malicious and non-malicious software. Xavier is taking a look at a sample to show what can be learned from these obfuscated samples with not too much work.
https://isc.sans.edu/diary/Obfuscated%20Malicious%20Python%20Scripts%20with%20PyArmor/31840


CenterStack RCE CVE-2025-30406
Gladinet’s CenterStack secure file-sharing software suffers from an inadequately protected machine key vulnerability that can be used to modify ViewState data. This vulnerability may lead to remote code execution, which is already exploited.
https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf

Google Patches two zero-day vulnerabilities CVE-2024-53150 CVE-2024-53197
Google released its monthly patches for Android. Two of the patched vulnerabilities are already exploited. One of them was used by Serbian law enforcement.
https://www.malwarebytes.com/blog/news/2025/04/google-fixes-two-actively-exploited-zero-day-vulnerabilities-in-android

Broadcom VMWare Tenzu Updates
Broadcom released updates for VMWare Tenzu. Many vulnerabilities affect the backup component and allow for arbitrary command execution.
https://support.broadcom.com/web/ecx/security-advisory?

Windows 11 April Update ads inetpub directory
The April Windows 11 update appears to create a new /inetpub directory. It is unclear why, and removing it appears to have no bad effects.
https://www.bleepingcomputer.com/news/microsoft/windows-11-april-update-unexpectedly-creates-new-inetpub-folder/

WhatsApp File Type Confusion/Spoofing
WhatsApp patched a file type confusion vulnerability. A victim may be tricked into downloading n
https://www.whatsapp.com/security/advisories/2025/

SANS Critical AI Security Guidelines
https://www.sans.org/mlp/critical-ai-security-guidelines

Podcast Transcript

 Hello and welcome to the Thursday, April 10th, 2025
 edition of the SANS Internet Storm Center's
 Stormcast. My name is Johannes Ullrich and today I'm recording
 from Jacksonville, Florida. Xavier today wrote about
 obfuscated Python. In this particular case, the exploit
 first arrived as a simple script that I used PowerShell
 to download additional Python. Now, what was different about
 this particular Python script here is that it used PyArmor
 in order to obfuscate the code. And while Xavier isn't
 here going through it sort of line by line based on the
 obfuscation, he at least does show some techniques to get
 some partial content from the script by doing some
 behavioral analysis. The problem here again is that the
 script also doesn't really run in sandboxes very well. So
 certainly making analysis of these scripts more difficult.
 PyArmor itself is not necessarily malicious. It's
 often used for commercial Python scripts in order to
 obfuscate the inner workings for intellectual property
 protection and the like. But if anybody has any tips here
 for Xavier how to better deal with PyArmor obfuscated
 scripts, well, please let him know. And we have an
 interesting vulnerability in CenterStack. CenterStack is
 made by Gladinet and it's a product that allows you to
 expose various file shares like SMB and such via a simple
 to use web interface. Now this web interface is written in
 .NET. .NET, you probably have seen it, has these view
 states. View states may be signed by the server using a
 machine key. The problem here with CenterStack is that the
 machine key wasn't properly protected. It's actually a not
 so terribly unusual vulnerability for these types
 of applications that rely on the view state being protected
 by a machine key. The vulnerability is now addressed
 with a patch. The patch also creates a new machine key for
 us. However, the vulnerability has already been exploited for
 a few weeks. They're saying sometime in March exploitation
 started or at least started to be detected for this
 vulnerability. So definitely apply this update quickly. And
 then we got updates from Google for Android. This
 update fixes 62 different vulnerabilities. Two USB
 -related vulnerabilities are of particular interest here in
 that they're both being exploited. One is allowing
 access to confidential data. The other one in the USB audio
 component apparently is what Malwarebytes, who has done a
 little write-up on these two exploit vulnerabilities. So
 that USB audio component vulnerability was apparently
 used by Serbian law enforcement to gain access to
 locked Android phones. Definitely want to address
 these and update your phone as the particular update is
 becoming available for your particular Android device. And
 Broadcom released updates for VMware Tanzu. Now VMware Tanzu
 has nothing really to do with their virtualization product.
 It's part of their business intelligence product. It also
 includes a backup product. And that's where a lot of the
 vulnerabilities are located are being patched here. 47
 vulnerabilities total, 29 of which apply to the backup and
 restore component of VMware Tanzu. Many of these
 vulnerabilities do allow remote code execution. So
 definitely something that you do want to address quickly.
 And according to Bleeping Computer, some users are
 reporting all for a sudden seeing an inetpub directory on
 their Windows systems after installing the latest Windows
 11 update. This directory is usually used by IIS, by the
 Internet Information Server, in order to serve files. That
 component was not installed or enabled on those systems. So
 for whatever reason, Microsoft decided to create that
 directory. At this point, it appears to be safe to remove
 that directory. But overall, it shouldn't really have any
 impact. There's, of course, a slight chance that if you
 start putting files in there and then later expose these
 files via installing IIS, you may have a problem. So
 probably the safe thing to do is just to remove that
 directory if it's empty, if it's not already used for
 other purposes on your system. And if you're using WhatsApp,
 be aware there is a file spoofing vulnerability that
 was being addressed in WhatsApp. The problem here is
 that an attacker may send you a file that looks like a
 harmless image, like a PNG, but actually then turns out to
 be an executable once saved to your system. And SANS released
 a new document, the Critical AI Security Guidelines. Now,
 it's version 1.1, but even though it's labeled as version
 1.1, it's pretty much, very much sort of a document in
 flux, a living document summarizing what you need to
 do in order to protect your AI workflows. This document still
 is waiting for user input as well. Given that AI moves so
 fast, I think it would be just wrong to release something
 that is considered sort of done and ready as is. So take
 a look at it. I'll, of course, add a link to the show notes.
 And if anybody's interested, on Friday, I'll actually be
 speaking for an ISSA event here in Jacksonville. It'll be
 a little bit an encore of the sort of Internet Storm Center
 run-through I did for InfraGuard a couple weeks ago
 if anybody's interested. Also link in the show notes if you
 want to register. And that's it for today. Thanks for
 listening and talk to you again tomorrow. Bye.