SANS Stormcast Thursday, June 26th, 2025: Another Netscaler Vuln; CentOS Web Panel Vuln; IP Based Certs

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9506.mp3

previous

Another Netscaler Vuln; CentOS Web Panel Vuln; IP Based Certs

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, June 26, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering is recorded in Stockheim,
 Germany. And yes, we do have another vulnerability from
 Citrix, Citrix Netscaler. I just talked about a
 vulnerability that allowed session credentials to leak a
 couple days ago. This one is just a denial of service
 vulnerability, still a critical CSS score. And this
 vulnerability apparently is already being exploited. Just
 like the session leak vulnerability, this particular
 vulnerability affects any Netscaler that is configured
 as a gateway. So a VPN virtual server, an ICAP proxy, a CVPN,
 RDP proxy, which is a very common configuration for these
 types of devices. So definitely pay attention to
 this. Also, end-of-life versions of Netscaler are
 vulnerable. But of course, there's no patch necessarily
 available for them. Patches have been made available now
 for the currently supported versions. And you should
 definitely be applying them quickly given that this
 vulnerability may already be exploited. And companies that
 offer servers for rent often use a software package called
 WebPanel in order to manage SendOS servers. This package
 has two parts. One is the admin part that only
 administrator is supposed to log into and, of course, gains
 administrator privileges to the server. And then there is
 a user panel that the user can use to essentially manage
 their own website on that particular server. And the
 intent is that you have multiple users share the
 server. And WebPanel is supposed to keep those users
 apart, which, of course, is always a little bit tricky. In
 particular, in this case, WebPanel suffered from an
 arbitrary file upload vulnerability. This allows an
 attacker to, for example, upload .bashrc files and such
 into other users' directories. And that can then lead to
 arbitrary code execution as this other user. This
 vulnerability has been addressed, has been fixed,
 proof-of-concept exploits, and a detailed description is
 available. So this is a vulnerability that you should
 consider being exploited at this point. And one particular
 case where you want to pay attention here is if you're
 not administering a server via WebPanel, but you're using a
 server that is administered via WebPanel, you still want
 to make sure that the version of WebPanel is being updated
 because your data may be at risk on that server, even
 though, of course, you can't do anything other than notify
 the administrator to please apply the update. And GOG is
 somewhat popular, even though not really very well
 -maintained Git server. If you want a nice web-based
 interface for Git, that's sort of one of the self-hosted
 options that you have. Well, they suffered from an
 arbitrary file deletion vulnerability they just
 patched. This is related to a vulnerability they patched
 almost a year ago. SonarCube back then published a nice
 blog with details about the vulnerability and how to
 exploit it. But as they patched this vulnerability,
 well, they didn't properly consider symlinks, which now
 led to this second vulnerability. The problem
 with Git repositories is if you can delete or truncate
 arbitrary files, you may be able, and that's the case
 here, to delete the HEAD file. So the .git slash HEAD file.
 Once you truncate or delete that file, then the Git
 repository is invalid. It's considered a plain repository.
 You can now adjust configurations in that
 repository, which will lead to arbitrary code execution. So
 not just file deletion here. It's a direct path to
 arbitrary code execution. And SonarCube showed that nicely
 in their blog from a year ago. And Let's Encrypt announced
 that they're almost ready to start issuing IP address-based
 certificate. This is a major departure from sort of
 traditional TLS certificates. Usually, they include a
 hostname or multiple hostnames. But now you may
 also include an IP address. And of course, that's
 important for devices and such that may not have a hostname.
 Now, there are some constraints around this. First
 of all, the certificates will only be valid for six days.
 There will also be an allow list process. So you have to
 basically apply to be part of the allow list in order to use
 these certificates. At this point, they have issued a
 sample certificate, which is meant to be used for testing.
 They apparently also ran into some of compatibility issues
 here already with some browsers. They don't have a
 fixed timeline yet for when they will start issuing the
 certificates. But again, this post here by Let's Encrypt
 staff said that they are getting ready to issue these
 certificates soon. Well, that's it for today. Thanks
 for listening. And as always, thanks for recommending, for
 liking, for subscribing. And talk to you again tomorrow.
 Bye. Bye.