Podcast Detail

SANS Stormcast Friday, March 27th: Sitecore Exploited; Blasting Past Webp; Splunk and Firefox Vulnerabilities

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9384.mp3

previous
next
Podcast Logo
Sitecore Exploited; Blasting Past Webp; Splunk and Firefox Vulnerabilities
00:00

Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218
Our honeypots detected a deserialization attack against the CMS Sitecore using a “thumnailaccesstoken” header. The underlying vulnerability was patched in January, and security firm Searchlight Cyber revealed details about this vulnerability a couple of weeks ago.
https://isc.sans.edu/diary/Sitecore%20%22thumbnailsaccesstoken%22%20Deserialization%20Scans%20%28and%20some%20new%20reports%29%20CVE-2025-27218/31806

Blasting Past Webp
Google’s Project Zero revealed details how the NSO BLASTPASS exploit took advantage of a Webp image parsing vulnerability in iOS. This zero-click attack was employed in targeted attack back in 2023 and Apple patched the underlying vulnerability in September 2023. But this is the first “byte by byte” description showing how the attack worked.
https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html

Splunk Vulnerabilities
Splunk patched about a dozen of vulnerabilities. None of them are rated critical, but a vulnerability rated “High” allows authenticated users to execute arbitrary code.
https://advisory.splunk.com/

Firefox 0-day Patched
Mozilla patched a sandbox escape vulnerability that is already being exploited.
https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

Podcast Transcript

 Hello and welcome to the Friday, March 28, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. Well, the last couple of days I spent a little bit
 of time on creating a couple of new reports for the
 Internet Storm Center website. One of them summarizes HTTP
 headers. And the reason I started looking more at HTTP
 headers was, of course, Next.js. And the header-related
 vulnerability. We collected the headers from our
 honeypots, but didn't really sort of routinely look at
 them. And, well, with these new reports, actually, I
 immediately sort of spotted one interesting header here.
 And that's the thumbnailaccesstoken header. Only a
 couple of requests this last month with this particular
 header being set. Well, a little bit of research then
 showed that this actually attempts to exploit a
 vulnerability in Sitecore. Sitecore is a CMS and it uses
 this header for access control. The problem, however,
 is that the content of the header, the value, is actually
 a .NET object. And then it uses the BinaryFormatter
 class to actually extract data from this object. And that
 class is most famously known for being, well, subject to
 deserialization vulnerabilities. And that's
 exactly what's happening here. There was a couple weeks ago a
 blog post by Searchlight Cyber. They initially
 discovered the vulnerability. The vulnerability was actually
 patched back in January, as far as I can tell. But not a
 lot of details were released by Sitecore at the time. Now,
 with the blog from Searchlight Cyber, we do have a proof-of
 -concept exploit. The one problem from our data is that
 we are only recording the first 250 characters of header
 values. But those characters are exactly matching the proof
 -of-concept exploit that was released by Searchlight Cyber.
 So, very likely, that's the point of it here. If you
 decode it, you also see some of that PowerShell stuff and
 such happening. Just not exactly sure what the attacker
 is trying to do here yet. But, well, about to fix this
 problem. And we are going to collect more of the header.
 Just needs a little bit reworking of our back end.
 I'll be working more on these header-related reports. And
 tomorrow, more of them should move live. Let me know if you
 like them. Let me know if you have any other ideas how to
 slice and dice the data and how to get more value out of
 it. And Ian Beer with the Google Project. Zero published
 a real nice detailed blog post on the BlastPass exploit by
 NSO. NSO Group, of course, was famous for their iOS, Android,
 Zero Day, and Zero Click exploits. One of them, well,
 was BlastPass. And the target here was the WebP image
 format. WebP is quite a common, a little bit more
 modern image format. And as the blog post explains, it can
 be lossless. It can also be lossy. So you have different
 options here as far as compression goes. And, of
 course, whenever you are compressing, memory management
 becomes really tricky and interesting. And that's sort
 of exactly what this blog post is all about. What went wrong
 in this particular case? Now, the exploit itself is, by
 Internet standards, pretty old. September 2023 is when it
 was patched. But the underlying problems about how
 to properly deal with these compressed formats, I think,
 is still valid. And we're still seeing similar
 vulnerabilities in other software. So definitely, if
 you're into exploit development or if you are into
 finding these kind of vulnerabilities in software,
 very good read. And we've got about a dozen of
 vulnerabilities being patched in Splunk. Nothing critical.
 Luckily, among those vulnerabilities, there is one
 arbitrary code execution vulnerability. However, it
 does require valid login credentials. So nothing here,
 as far as I can tell, where someone could essentially just
 send you some packets, some attack, and the logs as
 they're being parsed or so are exploiting Splunk. That's not
 the case here. Upgrade, definitely. Make sure you're
 patched. This is a critical part of your security
 infrastructure, likely. But again, nothing critical here.
 And as far as critical vulnerabilities go, well, we
 have one from Mozilla for Firefox. Only a sandbox
 escape, but a vulnerability that's already being exploited
 in the wild. Well, update it or let Firefox do its self
 -update in order to be patched. This only affects
 Windows. Well, that's it for today. Sorry for the editing
 issue in yesterday's podcast. Depending on when you
 downloaded it, you may have received a podcast that had
 the NPM session multiple times. Well, thanks also to
 those who alerted me. So I was able to fix it early this
 morning. But probably about half of you or so may have
 received the old version. Sometimes podcast apps don't
 necessarily update to the latest file. And typically, if
 you go to the website, that's sort of enough if that ever
 happens, where you sort of get the latest file if you just
 stream it from the website. Well, that's it for today.
 Thanks for listening and talk to you again on Monday. Bye.