Podcast Detail

SANS Stormcast Friday, July 25th, 2025: ficheck.py; Mital and SonicWall Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9542.mp3

previous
Podcast Logo
ficheck.py; Mital and SonicWall Patches
00:00

New File Integrity Tool: ficheck.py
Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions.
https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136

Mitel Vulnerability
Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges.
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009

SonicWall SMA 100 Vulnerability
SonicWall fixed an arbitrary file upload issue in its SMA 100 series firewalls. But exploitation will require credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014


Podcast Transcript

 Hello and welcome to the Friday, July 25th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in
 cybersecurity fundamentals. Jim's diary today is about a
 new tool that he wrote. Well, it's really sort of a rewrite
 of an older tool. There used to be a tool, and while it's
 still around, fcheck.pl. It's a simple file integrity check
 tool. The only problem with it is, well, it's old, but it's
 also written in Perl. And sadly, Perl is fading away a
 little bit. And this tool did no longer run well in modern
 Linux distributions. Now, instead of spending the time
 on fixing the older tool, which again relies on Perl,
 Jim decided to take a more modern approach and rewrite
 the tool in Python. It works fast. It performs well. And it
 still uses the old configuration file. So it
 should be a pretty simple drop -in replacement. File
 integrity checking, of course, is always an important part of
 incident response and also of detection. There are lots of
 other tools. Tripwire sort of is one of the original
 commercial tools here. 8 is in a lot of Linux distributions.
 OSEC, and with that, tools like Wazuh also do file
 integrity checks. But sometimes it's nice to have
 sort of a little Python script like this to just drop it on a
 system, do some quick investigation, maybe excluding
 some files during an investigation by determining
 that they have not been altered if you have a good
 configuration file for that particular system. Well, and
 then a quick update on SharePoint. Nothing really
 fundamentally new or different here. The one thing that's
 happening now that we're seeing in our honeypots is
 that more and more scans are attempting to hit some of the
 web shells back doors that have been left behind. I
 consider them parasitic scans. They're basically looking for
 already compromised systems and trying to take advantage
 of them. Some of them are just guessing also file names. For
 example, one of the early file names being installed or being
 used for the back door that revealed the machine key was
 spinstall1.aspx. Well, they're now just varying the number,
 seeing what happened there. Also, one interesting one here
 I saw is like error404.1.aspx. Maybe someone trying to fit in
 with some sort of normal files on the server in order to
 maybe trick an investigator to miss a particular back door.
 But that's sort of expected for these kind of attacks
 where after a day or so, we have parasitic attacks that
 just look for basically back doors left behind by earlier
 attacks. And well, then a couple of patches or
 vulnerabilities that you should be aware of ahead of
 the weekend. First one is in Mitel's MX-ONE product. It's an
 authentication bypass that could allow an attacker to get
 full user admin access to the system, which of course is
 used to basically manage part of your voice over IP
 infrastructure. So if you're using Mitel equipment, make
 sure that if you also use MX-ONE, that it's properly patched and
 up to date. There's also one of those systems, and Mitel
 mentions that in its mitigation section, that you
 shouldn't really expose to the internet. And well, anyway,
 just keep it patched, keep it locked down and away from any
 user that's not supposed to connect to it, even
 internally, if possible. And if you are using SonicWall's
 SMA100 product line, there is also a critical update for
 you. Now, I was a little bit on the fence whether or not I
 should cover this particular vulnerability. It does have a
 high CVSS score with 9.1. However, it does require admin
 credentials in order to exploit the vulnerability. The
 reason I decided to actually cover it is we just had last
 week a story from Google's Threat Analysis Center that
 they have observed a lot of compromises of SMA100 devices
 using stolen credentials. And this would be sort of the
 vulnerability that you would use then in order to gain
 persistent access to the device beyond just adjusting a
 couple of configuration settings. So that's why you
 probably should take this vulnerability seriously. And
 well, if you run any device like this, let's just say if
 you run any SonicWall device, just take that as a quick
 reminder to double check that the firmware is up to date.
 Well, and that's it for today. Thanks for liking. Thanks for
 subscribing. Thanks for leaving good reviews in your
 favorite podcast platform. That's it for this week. And
 thanks for listening and talk to you again on Monday. Bye.
 Bye.