SANS Stormcast Friday, June 27th, 2025: Open-VSX Flaw; Airoha Bluetooth Vulnerablity; Critical Cisco Identity Service Engine Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9508.mp3

previous

Open-VSX Flaw; Airoha Bluetooth Vulnerablity; Critical Cisco Identity Service Engine Vuln;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, June 27th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Graduate Certificate Program in Purple
 Team Operations is recorded in Stockheim, Germany. Well, we
 got a big supply chain security story to start out
 with today. This story was broken by Koi Security. The
 problem here is the use of Visual Studio Code clones.
 Now, Visual Studio Code, of course, is a Microsoft
 product. It comes with its own extension store and this
 extension store has had issues in the past. We talked about
 this here in this podcast a couple of times, but there are
 a couple of clones like, for example, Cursor, the editor
 used a lot with AI projects. And the Cursor, because it's
 not a Microsoft product, but it is a clone of Visual Studio
 Code, cannot use the official Microsoft extension store. In
 order to fix this, well, we have OpenVSX. OpenVSX is an
 extension store for all these different Visual Studio Code
 clones that cannot use the official Microsoft store. The
 problem with OpenVSX was that they had two different ways
 how a developer could update an extension. One is where you
 basically just upload the extension to them. But then
 there's another, a little bit more convenient way of doing
 it where they are auto -updated. And you basically
 just add your extension to the list of extensions for OpenVSX
 to auto-update. And then whenever it recognizes there
 is a new version, it will download your extensions and
 then it will run npm install. And that's where the problem
 happens. With npm install, the GitHub action that OpenVSX
 uses to update the extensions, well, it's actually executing
 code provided by the developer of the extension. And that
 code has access to the secret token that's being used by
 this GitHub action. And as a result, could basically
 update, alter any other extension published in
 OpenVSX, putting that entire ecosystem at risk. So it's a
 little bit different than some of the prior supply chain
 issues with extensions. Usually it was a malicious
 developer that sort of bypassed whatever checking
 happens or doesn't happen in these extension stores to
 publish a particular extension. But with this flaw
 in the mechanism, how these extensions are actually being
 maintained, an ad hacker could very well modify any trusted,
 often used extension. And for example, add malicious code.
 So pretty big deal here. Luckily, Koi Security worked
 with OpenVSX to have them fix this particular flaw. And it
 should be good now. And researchers from German
 security company ERNW did publish an initial brief blog
 post outlining three different Bluetooth vulnerabilities that
 they found in chipsets made by Airoha. If I pronounce this
 name correctly, could also be AI or Airoha. I'm not really
 sure. But the big problem here is that these chipsets are,
 first of all, used in a number of large name brand headsets,
 like for example, Bose and Sony and others. And the
 vulnerabilities do allow for a compromise of the headset, in
 particular for the use of the headset as an eavesdropping
 device. The problem here is in part a custom protocol that
 this chipset implements that allows direct memory
 manipulation of the headset. And well, to make things more
 interesting, authentication for this protocol is flawed or
 not quite present. And these details are not yet really
 made public. But with this, an attacker is then able to
 essentially pair to the headset and use it, for
 example, as a microphone to listen in. Now, if the headset
 is already paired with another device, this connection would
 be disrupted. So that would be notable to a victim if all of
 a sudden their headset no longer works, no longer
 connected to their phone or whatever they have it
 connected to. But in particular, if the headset is
 just idle, it would, of course, be fairly easy then in
 the terms of like not being noticeable for an attacker to
 actually then hijack the headset and use it as a
 microphone. All of these attacks, of course, require
 that the attacker is within Bluetooth distance of the
 victim. And Airoha did publish patches for their software
 development kit in order to fix these issues. But of
 course, they now have to be rolled out into firmware and
 such to make them actually available to end users for all
 of the affected devices. And Cisco released updates for its
 identity services engine. And this update among a number of
 not so critical vulnerabilities does address
 two critical vulnerabilities that allow unauthenticated
 remote code execution. So the CVSS score for these
 vulnerabilities is a perfect 10 and that attacker could
 completely compromise this critical part of your network
 security. This is certainly something that you probably
 want to address before going away for the weekend if you
 are running this particular solution. Well, and that's it
 for today. So thanks for listening. Hope to see some of
 you at Science Fire if you aren't registered yet. Well,
 still not too late. We'll start in about three weeks, I
 think, is when Science Fire will start in Washington, D.C.
 And of course, there's also an option to attend classes and
 many of the additional events online. But we do have some
 special on-site events, for example, our Honeypot
 Workshop, where we'll give away a few Honeypots for
 anybody interested in running them. That's it for today.
 Thanks for listening and talk to you again on Monday. Bye.