SANS Stormcast Feb 14th 2025: DShield Honeypot SIEM; PAN OS Auth Bypass; Salt Typhone vs. Cisco; Crowdstrike Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9324.mp3

previous

DShield Honeypot SIEM; PAN OS Auth Bypass; Salt Typhone vs. Cisco; Crowdstrike Patch

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transscript

 Hello and welcome to the Friday, February 14th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Running a honeypot is a lot of fun,
 but sometimes if you're trying to explain to, let's say, a
 family member during packet night or maybe just for your
 own interest what exactly is happening with the honeypot,
 well, this can be a little bit tricky to sift through all the
 logs. Guy luckily set up a seam add-on for our honeypot that
 provides you with some real neat dashboards that really
 put some light behind the scenes and show you what
 exactly is happening, what attacks the honeypot is seeing
 in a relatively nice graphical representation. This is all
 built around Elasticsearch, so the usual L stack of
 Elasticsearch Logs-Kibana is what you have in this
 particular setup. A bunch of additional software, Seek, so
 some packet analysis here as well. That's all neatly
 summarized. The latest version was just released by Guy and he
 did right of a quick summary with some screenshots in his
 diary today. So take a look and just one little word of
 caution here. Because of all the add-on software, this does
 not run sort of in our minimum hardware configuration. You
 may need something a little bit more beefy. I've run it
 sort of on essentially one of these N100, so these low-end
 Intel CPUs that actually sometimes are competitively
 priced compared to, let's say, a Raspberry Pi, depending on
 the exact setup that you're looking for. And then we got
 some Palo Alto vulnerabilities to talk about. This
 vulnerability is actually kind of interesting. It's not sort
 of your very straightforward command injection or something
 like this. It's, as Searchlight Cyber calls it, a
 path confusion vulnerability. And it is a common problem in
 the sense that whenever you sort of have middle boxes that
 are doing authentication for you, that are rewriting URLs,
 well, you have to be careful that all the components in
 your forwarding chain are interpreting headers and paths
 the same way. And that's exactly what's happening here.
 They're using NGINX as sort of a front-end proxy that has
 some of the authentication. Another problem here is sort
 of the adding of authentication-specific
 headers and then forwarding the request to Apache, which
 then rewrites it, and then it's finally being executed by
 PHP. So we have like three different components here. And
 due to different interpretations of the path
 along the chain, well, we end up with arbitrary code
 execution, where essentially an attacker is able to execute
 specific PHP scripts without authenticating because the
 backend essentially confused about whether or not this
 particular request does actually require
 authentication or not. Interesting vulnerability. If
 you're working with similar system, I think there's a must
 read and you really need to understand how headers are
 being dealt with along sort of a chain of different middle
 boxes and web servers and the like, and also how URLs may be
 rewritten. In particular, this was kind of caused by a little
 bit of unexpected Apache behavior. So definitely
 something to read up on. Maybe something I'll post some
 special video about at a later time. The register is also
 reporting that they heard of certain Palo Alto devices
 randomly rebooting. Doesn't appear to be an attack as far
 as I can tell, but of course it could be some kind of
 denial of service condition that's being triggered here by
 specific requests. Apparently there is an update available
 from Palo Alto that fixes this issue if you have it, or maybe
 just leave it rebooting. It may make it actually a little
 bit more difficult to exploit those devices. And the
 recorded future has an update on Salt Typhoon, the threat
 actor that did compromise a large number of telco
 companies. Apparently they're still out there. They're still
 attacking devices, focusing somewhat on older Cisco
 vulnerabilities. So definitely keep those updated. CVE 2023
 -2273 is what they're particularly looking for.
 Recordedfuture calls all of this RedMike. And then also
 RecordedFuture calls all of this RedMike. And then also
 interesting that they're using a GRE tunnel for command
 control. Something I don't really see done a lot, and
 something that should trigger all kinds of alarms. But well,
 we're talking about people who haven't applied to your old
 Cisco updates yet. So they may not be looking for odd
 protocols on their network either. And then miscellaneous
 updates. We do have an update for CrowdStrike's Falcon
 sensor for Linux. Fixes a TLS issue that would allow for
 machine-in-the-middle attacks between the sensor and the
 cloud where any events are being reported to. Definitely
 something you do want to address. A little bit
 interesting that we had a TLS issue kind of like that also
 recently in Linux itself. So that's definitely something
 that may have sort of trickled into the Falcon sensor. Just
 apply the update. Well, and that's it for today. Thanks
 for listening and talk to you again on Monday. Bye.