Podcast Detail

SANS Stormcast Thursday Mar 20th: Cisco Smart Licensing Attacks; Vulnerable Drivers again; Synology Advisories Updated

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9372.mp3

previous
next
Podcast Logo
Cisco Smart Licensing Attacks; Vulnerable Drivers again; Synology Advisories Updated
00:00

Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 CVE-2024-20440
Attackers added last September's Cisco Smart Licensing Utility vulnerability to their toolset. These attacks orginate most likely from botnets and the same attackers are scanning for a wide range of additional vulnerabilities. The vulnerability is a static credential issue and trivial to exploit after the credentials were published last fall.
https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Cisco%20Smart%20Licensing%20Utility%20CVE-2024-20439%20and%20CVE-2024-20440/31782

Legacy Driver Exploitation Through Bypassing Certificate Verification
Ahnlab documented a new type of "bring your own vulnerable driver" vulnerability. In this case, an old driver used by an anit-malware and anti-rootkit system can be used to shut down arbitrary processeses, including security related processeses.
https://asec.ahnlab.com/en/86881/

Synology Vulnerability Updates
Synology updates some security advisories it release last year adding addition details and vulnerable systems.
https://www.synology.com/en-global/security/advisory/Synology_SA_24_20
https://www.synology.com/en-global/security/advisory/Synology_SA_24_24


Podcast Transcript

 Hello and welcome to the Thursday, March 20th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. Well, today I took a look at some Cisco Smart
 Licensing Utility vulnerabilities. There are two
 vulnerabilities that were patched September last year.
 Now, shortly after the patch was released, there was also
 an exploit released and the exploit is pretty
 straightforward for this vulnerability. It was yet
 another of these static credential vulnerabilities. So
 really all you need to know in order to exploit the
 vulnerability is well what these static credentials were
 and that's what a blog post that was published a couple
 days after the patch came out well revealed. Haven't really
 seen much exploitation of this vulnerability so far. However,
 today I noticed that we got some significant scanning for
 this vulnerability for the particular URL being used.
 Then when I looked at the complete request, they indeed
 used an authorization header with these static credentials.
 This is part of what looks like some kind of botnet.
 They're scanning for a number of other vulnerabilities. Some
 of these vulnerabilities are basically just looking for
 credentials like things like .env files and such being
 leaked. But they're also looking interestingly for
 another little bit odd sort of video recorder vulnerability.
 One of these security camera recorders also has static
 credentials. In that case, the credentials are about as
 complex as the Cisco credentials. So something you
 wouldn't necessarily guess. It's not something like admin
 admin, but a little bit more complex. A couple special
 characters in the Cisco case. But of course, if they're
 static, well, it doesn't really matter how complex they
 are once they have been leaked. The official lesson
 here is of course patch. The less official version is if
 you're buying expensive enterprise software or cheap
 security cameras, they have the same type of warner
 bellies. So better get ready for it. And Ahnlabs did release
 a blog post showing an interesting trick that
 attackers are using by loading an old driver. Now we often
 have the bring a vulnerable driver technique. That's a
 little bit variation of this technique. The idea is that
 there are a number of drivers that have special powers in
 the operating system. They're as a result digitally signed,
 they're as a result digitally signed, so they can't be
 altered. However, if they have a vulnerability, well, then
 they can be used in order to elevate privileges. That's of
 your classic bring a vulnerable driver
 vulnerability, where an attacker is using a driver
 with a known vulnerability that has a valid signature in
 order to usually achieve system privileges. This is a
 little bit sort of a different variation of this attack. The
 driver in question here is called the truesight.sys
 driver. This driver came originally as part of an anti
 -rootkit actually, so anti -malware, but had the little
 bit iffy side effect where it could be used to terminate
 arbitrary processes, even if they were not associated with
 a rootkit. And that essentially then led to a
 limited privilege escalation, where an attacker was able to
 shut down security processes. And with that, they're able to
 load additional malware. Now, this particular vulnerable
 driver was originally put on Microsoft's driver block list.
 Microsoft maintains a list of known vulnerable drivers. And
 well, this was one of them now. So it was added to the
 block list. The problem here was then that aside from the
 block list of not really working the way it's designed
 to, but even if it would have worked the way it would be
 signed to, it wouldn't block this particular driver, at
 least an old version of this driver, because the block list
 only goes back for drivers to 2015. And there was a
 vulnerable version of this driver version 2.0.0 that was
 published before. So that one could still be used. Well,
 then the attacker also applied the seropadding trick to
 actually modify the driver as they're being loaded. So we're
 back to certificate bypass here, issues here that are
 also part of these sort of older vulnerabilities. The end
 effect is that the attacker is able to load the driver. The
 attacker is now gaining privileges to shut down
 arbitrary processes. And yes, attackers yet again used this
 particular driver to then kill security processes. Microsoft
 apparently has added now the old version to their block
 list as well. As I said, that's more missed than hit
 when it comes to hit and miss with this driver block list.
 Lots of reports that they actually don't really work
 very well. Hopefully some regular anti-malware and such
 will also add these old drivers to their signatures to
 hopefully block them from being used. And in security
 announcements, we got two updated announcements from
 Synology affecting a number of their camera products. Take a
 look if there are any new products being added here to
 the vulnerable products list that are affected by this. The
 vulnerabilities are critical. They are remote code execution
 vulnerabilities. They were mostly discovered as part of
 the Serity Initiative's Pwn2Own contest. So definitely
 something that you do want to address. There's, for example,
 some arbitrary remote read vulnerabilities, also
 execution of arbitrary code, and then also some machine in
 the middle attacks that are being addressed here. Well,
 and that's it for today. Thanks for listening. Thanks
 for recommending the podcast. If you meet anybody from SANS,
 let them know that you listen to and like the podcast. And
 any feedback, as always, welcome. Playing a little bit
 with different backgrounds and lighting and such or content.
 If I say anything wrong or missed something, please let
 me know. Thanks and talk to you again tomorrow. Bye.