Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, July 22nd, 2025: SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; Zoho WorkDrive Abused
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9536.mp3
SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; Zoho WorkDrive Abused
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771
Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
How Quickly Are Systems Patched?
Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough.
https://isc.sans.edu/diary/How%20quickly%20do%20we%20patch%3F%20A%20quick%20look%20from%20the%20global%20viewpoint/32126
HP Enterprise Instant On Access Points Vulnerability
HPE patched two vulnerabilities in its Instant On access points (aka Aruba). One allows for authentication bypass, while the second one enables arbitrary code execution as admin.
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us
Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy
AppLocker sample policies suffer from a simple bug that may enable some rule bypass, but only if signatures are not enforced.
While reviewing Microsoft’s suggested configuration, Varonis Threat Labs noticed a subtle but important issue: the MaximumFileVersion field was set to 65355 instead of the expected 65535.
https://www.varonis.com/blog/applocker-bypass-risks
Ghost Crypt Malware Leverages Zoho WorkDrive
The Ghost malware tricks users into downloading by sending links to Zoho WorkDrive locations.
https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, July 22nd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Master's Degree Program in Information Security Engineering. And of course, well, SharePoint, let's start with that. Microsoft has some nice updates about this particular problem. And there are patches available now if you're using the SharePoint Server Subscription Edition or SharePoint Server 2019. For 2016, at this point, there are no updates available yet, but you are vulnerable. So assume compromise at this point. There are plenty of working exploits that have been made public for this particular vulnerability. Also, don't be too specific in your detection rules on the payload. Payloads can easily be generated using the .NET version of YSO Serial, a common tool to exploit deserialization attacks in .NET. There are also now two CVEs, 2025, 53, 770, and then 53, 771. The first CVE is for the deserialization vulnerability. The second CVE, the 771 CVE, is for the authentication bypass problem. So we are back to two vulnerabilities here. But note, it only takes one request to exploit them all. In order to exploit this vulnerability, you essentially first set the referrer header to the signout page for the SharePoint instance. And that's, well, the same across different versions. And then you basically just include the .NET deserialization payload as a payload to the POST request. Again, assume compromise when you're patching this vulnerability. We'll have a bit more guidance and such probably over the next couple days as I'm able to pull a couple more details together. Just got setting up a SharePoint server to be able to play with this vulnerability in the patch to see how well it works and if it defends adequately against the exploits that are currently going around. And whenever we do have a critical vulnerability like SharePoint, it sort of takes over the news cycle, there is a danger that you're missing out on some of the important but not quite as visible vulnerabilities. One, for example, being two vulnerabilities that HP patched in its instant-on access points. These are what's known as Aruba based on the brand that HP bought access points. And there are two vulnerabilities here. One is an authentication bypass vulnerability. The second one is a remote code execution vulnerability, but it requires admin access. However, given that we do have that authentication bypass vulnerability, if you combine the two, you get full remote code execution as administrator. And yes, patches are available from HP. And security company Verones found an interesting and almost a funny little bug in AppLocker policies. So AppLocker is the Windows tool that allows you to block the execution of untrusted binaries. You may essentially have sort of an allow list or application control list that allows only specific binaries to run. Now, if you're blocking a particular binary, there is a sample policy that is often used, and it specifies the minimum and maximum file version. File versions are in AppLocker specified as four numbers. Each number may have up to 16 bits. Well, in the example, the maximum file version is 65 ,355, while the largest possible 16-bit number is 65 ,535. So not 355. So there are about 200 version numbers here missing. And that sort of opens an attacker up to basically release a version with one of these very high version numbers, and then bypass the block list. However, as pointed out in the article by Verones, you should also enforce application signatures for your AppLocker configuration, and that would then basically prevent the malicious binary still from running because, well, it's not properly signed. And it's not just free file transfer services that are being abused by attacker. ZOHO WorkDrive has written up an interesting event where they found the ghost crypt malware being distributed via ZOHO WorkDrive. ZOHO WorkDrive is a commercial feature by ZOHO. Of course, a lot of smaller businesses such use and trust ZOHO, so they're more likely then to actually download these malicious files than, let's say, from some kind of random download server that we often see like some kind of free file sharing service. Definitely something to mention awareness. And if you're writing any detection rules and such, be careful with excluding services like this. Yes, these are not malicious services, but they may very well be abused by malicious actors. In order to deliver files like this. Well, and this is it for today. So thanks again for listening and talk to you again tomorrow. Bye.
Follow updates by subscribing to the handler's diary RSS feed
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 