Podcast Detail

SANS Stormcast Tuesday, May 12th: Apple Patches; Unipi Technologies Scans;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9448.mp3

previous
Podcast Logo
Apple Patches; Unipi Technologies Scans;
00:00

Apple Updates Everything
Apple patched all of its operating systems. This update ports a patch for a recently exploited vulnerability to older versions of iOS and macOS.
https://isc.sans.edu/diary/31942


It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities
Versions of the Mirai botnet are attacking devices made by Unipi Technology. These devices are using a specific username and password combination. In addition, this version of the Mirai botnet will also attempt exploits against an old Netgear vulnerability.
https://isc.sans.edu/diary/It%20Is%202025%2C%20And%20We%20Are%20Still%20Dealing%20With%20Default%20IoT%20Passwords%20And%20Stupid%202013%20Router%20Vulnerabilities/31940

Output Messenger Vulnerability
The internal messenger application “Output Messenger” is currently used in sophisticated attacks. Attackers are exploiting a path traversal vulnerability that has not been fixed.
https://www.outputmessenger.com/cve-2025-27920/


Commvault Correction
Commvault’s patch indeed fixes the recent vulnerability. The “Pioneer Release” Will Dormann used to experiment will only offer patches after it has been registered, which leads to an error when assessing the patch’s efficacy.
https://www.darkreading.com/application-security/commvault-patch-works-as-intended

Podcast Transcript

 Hello and welcome to the Tuesday, May 13th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And well, today we got patches
 from Apple. So tomorrow, Microsoft patch Tuesday.
 Today, Apple patch Monday. Even though, of course, Apple
 does publish patches not on a regular schedule. This
 particular update fixes 65 different vulnerabilities.
 There's one sort of notable vulnerability here and that
 one is already being exploited. It's an audio
 stream vulnerability. Apple has released a patch for this
 particular vulnerability back mid-April, but only for the
 most recent versions of iOS and macOS. This update now
 does also update some of the older versions of macOS and
 iOS. For macOS, it goes back to Ventura, which is 13. So
 about two years ago. In addition to this particular
 vulnerability that's already being exploited, there are a
 number of other notable vulnerabilities. For example,
 a couple of vulnerabilities in WebKit that could lead to code
 execution if you're visiting a malicious website. Also kind
 of an interesting vulnerability in FaceTime,
 where apparently the mute button didn't always work as
 expected. Of course, that would be a rather embarrassing
 mistake in some cases. And our honeypots detected the use of
 a new username and password combination, and that's Unipi
 and Unipi.Technology. This particular username and
 password combination is the default password for devices
 created by a company called Unipi Technology. And, well,
 they're sort of in the business of kind of IoT, like
 home automation, business control systems, and the like.
 And, yes, they're still using a default password. It is,
 however, pointed out in their quick start guide as sort of a
 bold item at the top that you should probably change this
 particular password. The malware being spread here,
 well, it smells, looks like Mirai. It also does scan using
 the good old Netgear vulnerability. That's now, I
 think, a 12-year-old vulnerability from 2013. I
 think February 2013 is when it first came out, but was only
 assigned a CVE number last year. So there's a lot of
 confusion around this because it's an old vulnerability, but
 it does have a 2024 CVE number. In particular, if
 you're looking at this in the context of some of the other
 news, like the FBI, for example, taking down that
 botnet of out-of-date and unpatchable routers, which was
 probably something like this Netgear vulnerability that was
 used to compromise those routers. Also, we had like a
 CISA advisory that, well, old vulnerabilities are heavily
 being used in order to target OT, so ICS technology. And
 Microsoft is reporting that new vulnerability in output
 messenger is being actively exploited by a group that
 Microsoft calls Marble Dust. This particular group attacks,
 at least with this vulnerability, targets in the
 Middle East and Europe. Now, output manager is a local
 messaging application. It's often used by administrators
 and such to communicate. It's fairly feature-rich, allows
 the easy exchange of files. And the developer of this
 application has now actually released a fairly decent blog,
 a little bit explaining the vulnerability. It's a
 directory traversal vulnerability. So an attacker
 can use this vulnerability to gain access to files on the
 user's system, which, of course, if they contain
 secrets, credentials and such, could potentially be used to
 execute code on affected systems. As part of the attack
 that Microsoft saw, attackers apparently also took over some
 of the output messenger servers that are typically run
 locally. So in that case, then, attackers could easily
 reach out to additional victims that are using this
 particular server. Definitely update as fast as possible,
 given the active exploitation of this vulnerability. And
 then we have an update for the Commvault story. Remember,
 there was a vulnerability. Then Commvault released a
 patch. And security researcher Will Dorman stated that the
 patch didn't completely fix the vulnerability. Commvault
 now came out saying that, well, they did actually fix
 the vulnerability. And Dorman also corrected kind of his
 original assessment that when he downloaded the version that
 I guess is described as a pioneer release, it doesn't
 actually come with any patches and updates until you actually
 register this version of the software. So you only get
 security updates as a paid license customer. If you're
 just downloading the test release, you may not get the
 latest, greatest version with all the patches applied. Well,
 and that's it for today. So thanks for listening. And just
 a quick note, I haven't mentioned Sans Fire. Well, you
 may see at the top the URL scrolling by in the beginning
 and the end of the podcast. But I just want to point out
 that we actually are now getting together yet another
 one of our honeypot workshops. So we'll give away something
 like 20 honeypots for anybody interested in running them in
 their network. Also walk you through how to install them
 during an evening event at Sans Fire. That's it for
 today. Thanks for listening and talk to you again
 tomorrow. Bye. Bye.