SANS ISC Stormcast, Jan 28th 2025: Z-Shy Phishing; Apple Patches 0-Day; Fortinet Exploit Details; Github and Apache Solr Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9298.mp3

previous

next

Z-Shy Phishing; Apple Patches 0-Day; Fortinet Exploit Details; Github and Apache Solr Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Tuesday, January 28, 2025
 edition of the SANS Internet Storm Center's
 Stormcast. My name is Johannes Ullrich and today I'm recording
 from Jacksonville, Florida. Well, today we have a diary by
 Jan looking at one of his favorite topics and that's how
 attackers are bypassing fishing filters. The common
 trick being used here is often referred to as Z-wasp for
 zero width characters and there are a number of different
 spaces, non-breaking spaces and the like that are often
 used here that are invisible to the user. But a machine
 looking for keywords like password would not recognize
 those keywords because they are broken up with these
 special characters. A particular character that Jan
 is looking at in this example is the soft hyphen which is
 why Jan dubs this particular version of the attack the C
 -Shy attack where S-H-Y is the HTML entity being used for the
 Shy attack where S-H-Y is the HTML entity being used for the
 soft hyphen that is then included in these emails in
 order to obfuscate them and make them similar to these
 zero white space and other zero with characters. readable
 to the human but not readable to the machine. Interesting
 technique and what this really drives home is that yes, we
 have fancy filters for our email messages that try to
 identify spam but a sufficiently motivated
 attacker is probably going to figure out a way around this
 because there are just so many options to make a text look
 very different to the machine compared to the user. And
 Apple today released its usual updates for everything. So we
 got updates for Vision OS, iOS, iPad OS, we got updates
 for macOS going back three versions to Ventura or macOS
 13. We also got updates for watch watchOS, tvOS and of
 course Safari for these older versions of macOS. Probably
 the highlight of this particular release is that
 there is one already exploited vulnerability that's being
 patched with this update. It's the first zero day of the year
 for Apple but of course it's just January. And I think this
 is the first or second update that we got the period this
 year. This particular already exploited vulnerability is a
 privilege escalation vulnerability in Apple's core
 media framework. This is essentially the library or the
 set of libraries that's a response for all kinds of
 media processing with that of course a common source of
 vulnerabilities. The Apple description is as usual fairly
 sparse. It says here and I'm reading from Apple a malicious
 application may be able to elevate privileges. Apple is
 aware of a report this issue may have been exploited
 against versions of iOS before iOS 17.2. So if you already
 ran a current version of iOS you should be good and should
 not be affected by this vulnerability. Still update
 and of course with that make sure that you also apply all
 these other updates that are included. For iOS and iPadOS
 and the other operating system other than macOS there is no
 update for prior versions yet. So with that of course you
 have to also accept any feature updates that you may
 receive with this particular operating system update.
 And watchTowr released its usual in-depth review and
 exploit instructions for the latest Fortinet FortiOS
 authentication bypass vulnerability. Pretty
 interesting vulnerability essentially what Fortinet did
 here is that it did provide a proxy to a local telnet
 session via WebSocket. And that essentially allows user
 to gain terminal access via HTTP requests. Authorication
 of course isn't really done properly. There is a race
 condition where you can authenticate before the
 authentication request comes in resulting in empty
 authentication succeeding. And that gives you then
 essentially full command line access via this WebSocket
 connection. Interesting vulnerability definitely
 something to look at if you are working with WebSockets
 and do similar things where you are proxying WebSocket
 connections and relying on some form of authentication
 across this connection. So you are not running into the same
 type of race issue that we had here with Fortinet. In other
 updates we got an update for GitHub Desktop that fixes four
 different vulnerabilities. There are some credential leak
 vulnerabilities. Actually the one vulnerability I thought is
 kind of interesting is not the most severe one. CVSS score
 only 6.6 but a malicious crafted remote URL could
 essentially lead to credential leaks. Interesting kind of
 exploitation options here and probably one that's a little
 bit hard to get a handle on how critical it's really in
 your particular environment. And Apache released a
 noteworthy update for Solr fixing two vulnerabilities.
 One of them is a directory traversal war on a billion and
 also an interesting one that allows untrusted users to
 overwrite trusted config sets. And in the end this could also
 end up with arbitrary code execution. So definitely apply
 the patch. And this is it for today this week teaching
 virtually here for our Cybersecurity East conference.
 Thanks for listening and talk to you again tomorrow. Bye.
 Bye. Bye. Thank you.