Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday Mar 26th: XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9380.mp3
XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details;
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
XWiki Search Vulnerablity Exploit Attempts (CVE-2024-3721)
Our honeypot detected an increase in exploit attempts for an XWiki command injection vulnerablity. The vulnerability was patched last April, but appears to be exploited more these last couple days. The vulnerability affects the search feature and allows the attacker to inject Groovy code templates.
https://isc.sans.edu/diary/X-Wiki%20Search%20Vulnerability%20exploit%20attempts%20%28CVE-2024-3721%29/31800
Correction: FBI Image Converter Warning
The FBI's Denver office warned of online file converters, not downloadable conversion tools
https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam
VMWare Vulnerability
Broadcom released a fix for a VMWare Tools vulnerability. The vulnerability allows users of a Windows virtual machine to escalate privileges within the machine.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518
Draytek Reboots
Over the weekend, users started reporting Draytek routers rebooting and getting stuck in a reboot loop. Draytek now published advise as to how to fix the problem.
https://faq.draytek.com.au/docs/draytek-routers-rebooting-how-to-solve-this-issue/
Microsoft Managemnt Console Exploit CVE-2025-26633
TrendMicro released details showing how the MMC vulnerability Microsoft patched as part of its patch tuesday this month was exploited.
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, March 26, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I am recording from Jacksonville, Florida. Well, today in Diaries we do have an interesting vulnerability that I saw being exploited. It affects XWiki. Wikis, of course, are always dangerous. However, the vulnerability being exploited is not in a feature that's commonly associated with dangers like uploading files or allowing users to edit a page. It's in the search feature. And in this case, actually, the search feature is open to remote code execution. The problem is that this particular wiki, and again we're talking about XWiki here, is written in Java and it does allow for output rendering transformations. The idea behind this is that part of the wiki code is essentially these templates and then as they're being sent to the user, well, they're being parsed. That's where these rendering transformations are being applied. But in the search feature, the search string also was subject to these rendering transformations. So if you searched for a Groovy, in this case, code snippet, well, that code was actually then parsed as the data was returned to the user. And that led to the remote code execution. The vulnerability is about a year old. I haven't seen a lot of exploitation against it. Just sort of now sort of bubbled to the top. Early expectations were like about in June. But only sort of, you know, individual hits against our honeypots, which sort of didn't make it to our threshold where we sort of consider it something new and noteworthy. Definitely update xwiki, make sure that it is up to date. But again, there's an older vulnerability. So nothing that's just breaking new. And then I have a correction to yesterday's podcast. Sorry, I don't have the note from the listener who actually pointed that out anymore. But the problem was the FBI's announcement about image conversion tools that actually referred to online tools. So you're not downloading the tool here. Instead, you're uploading your image or document to a website that then does the conversion for you. The threat here is that some of these websites will basically take content from the document and exfiltrate it. But they also, when they return then the converted file, that converted file that you're then downloading may contain malware. So that was the threat here, which is something different than sort of what you usually see. And definitely more makes sense that there is this special advisory for this particular threat. And in vulnerabilities, we do have updates from VMware. This update fixes an authentication bypass in VMware tools. The scope is a little bit more limited here. An attacker who has normal user access to a Windows virtual machine may be able to gain administrative access to that Windows virtual machine. So not necessarily sort of a jailbreak style vulnerability. Has a CVSS score of 7.8. And again, only affects VMware tools and only on Windows. And I think it was just last week that I was looking at some Draytek vulnerabilities that were being exploited against our honeypots. Well, it looks like Tratech actually had a bad weekend with many customers reporting that their routers were stuck in a reboot loop. So Tratech makes these routers, firewall combos, and apparently a firmware update issue or something like that. It's not really specified. It did cause that reboot loop. They do suggest upgrading to the latest firmware. However, with the router rebooting, that may not be that easy. It apparently is working better if you disconnect the WAN interface. And then there's also an option to update via TFTP, which in itself can be a little bit tricky to set up. But that's sort of your last resort if the update via the web application does not work. And Trend Micro released some details regarding the Microsoft Management Console vulnerability that was patched by Microsoft this month. This was one of the vulnerabilities that was already being exploited. So Trend Micro is now going over some of the exploits that they have seen as part of Ransom Air and how the exploit worked. There's a particularly interesting evil twin issue here where an attacker could basically give you two snap-ins for the Microsoft Management Console with the same name, trick you into loading the not evil one, and then use that to then later execute code from the evil one. More details in the blog. It's a little bit too much here for the podcast. Well, and this is it for today. If you're living in Jacksonville, today on Wednesday, I'll be speaking over lunch at the InfraGuard meeting. I'll be going over some of the United Storm Center. Please register on their website for more details on that. Thanks for listening and talk to you again tomorrow. Bye.
This site is powered by your submissions, so tell us what you see happening
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 