Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Friday April 11th: Network Infraxploit; Windows Hello Broken; Dell Update; Langflow Exploit
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9404.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
Network Infraxploit
Our undergraduate intern, Matthew Gorman, wrote up a walk through of
CVE-2018-0171, an older Cisco vulnerability, that is still actively being
exploited. For example, VOLT TYPHOON recently exploited this problem.
https://isc.sans.edu/diary/Network+Infraxploit+Guest+Diary/31844
Windows Update Issues / Windows 10 Update
Microsoft updated its "Release Health" notes with details regarding issues
users experiences with Windows Hello, Citrix, and Roblox. Microsoft also released an emergency update for Office 2016 which has stability problems after applying the most recent update.
https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3521
https://support.microsoft.com/en-us/topic/april-10-2025-update-for-office-2016-kb5002623-d60c1f31-bb7c-4426-b8f4-69186d7fc1e5
Dell Updates
Dell releases critical updates for it's Powerscale One FS product. In particular, it fixes a default password problem.
https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities
Langflow Vulnerablity (possible exploit scans sighted) CVE-2025-3248
Langflow addressed a critical vulnerability end of March. This writeup by Horizon3 demonstrates how the issue is possibly exploited. We have so far seen one "hit" in our honeypot logs for the vulnerable API endpoint URL.
https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Friday, April 11th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, when you hear about recent attacks by Volt Typhoon, the Chinese threat actor who has been compromising critical infrastructure, you usually think about cutting-edge, serity-style exploits. Sadly, that's not all there is to it. There are also a lot of good old overlooked vulnerabilities. And that's what today's diary is about. One of our undergraduate interns, Matthew Gorman, looked at CVE 2018-0171. This is, as the CVE number implies, an older vulnerability, but still currently being actively exploited by threat actors like Volt Typhoon. So, definitely something to not overlooking infrastructure. And Matthew does a great job here in walking you through some of the issues with these vulnerabilities, how it's being exploited and how to protect yourself from exploitation. Also, why some of these vulnerabilities are still a problem. And then we got a little bit more cleanup for the Microsoft Patch Tuesday this week. There were issues with Windows Hello, most importantly. Some users experienced after rebooting their system, they could no longer log in via their PIN or via facial recognition with Windows Hello. Apparently, this affects systems where System Guard Secure Launch or Dynamic Route of Trust for measurement. DRTM is enabled. The solution here is to re -enroll your device. There were also updates affecting Citrix and, most importantly, some Roblox users apparently are having problems. There was also an issue with Microsoft Office crashing. This only affected systems that use the MSI-based installer for Microsoft Office. And Microsoft on Thursday did release a special update to fix this particular problem. And on a positive note, the Windows 10 version of the April updates is now available as well. And Dell released an update for users of its network-attached storage system, PowerScale 1FS. One particular vulnerability here is worth pointing out, the CVSS score of 9.8. And it fixed, well, one of those good old backdoor passwords. So a default password is being addressed with this update. At this point, I haven't seen what the password is, but probably just a matter of time, meaning hours or a couple days, for that to become publicly known. Well, in Horizon 3, they published a detailed breakdown of a vulnerability they recently discovered in Langflow. The vulnerability was discovered end of February, was reported, and was then fixed end of March by Langflow. Version 1 .30 is the safe version you want to use. The nature of this vulnerability is that Langflow has an unauthenticated API endpoint. Never a good idea. In this particular case, data is then actually being passed to a Python exec. Now, it's not super straightforward. It's not just simple Python code that you're able to execute here. You have to sort of obfuscate a little bit, make it work with this particular endpoint. And that involves the use of Python decorators. Interesting Python feature that myself, as a non-real big Python person, wasn't really familiar with. But this will walk you through how the exploit works. And yes, they do provide proof-of-concept exploit. At this point, I see, as of today, one single hit to the particular API endpoint in our honeypots. Wouldn't call it a successful or attempted exploit. Really more recon because it doesn't appear to have the actual exploit attached sort of as a body. But still have to look at it in more detail. Definitely, if you are running Langflow, update it now. And definitely don't expose this tool to the internet. But then again, it's AI. So what could possibly go wrong? Well, and this coming week, I will be in Orlando at our big spring event there. I'll be teaching defending web applications. I think I'm scheduled to do a quick luncheon learn. So if you're interested, hope to see some of you. If you're not in class with me, always usually carry some stickers around. So just stop me if you see me in the hallway. And if you're interested in some internet storms and our stickers, maybe I'll drop some on a random table in the hallways there. Well, that's it for today. So thanks again for listening and talk to you again on Monday. Bye.
This site is powered by your submissions, so tell us what you see happening
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 