Podcast Detail

SANS Stormcast Tuesday, August 12th, 2025: Erlang OTP SSH Exploits (Palo Alto Networks); Winrar Exploits; Netscaler Exploits; OpenSSH Pushing PQ Crypto;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9566.mp3

previous
Podcast Logo
Erlang OTP SSH Exploits (Palo Alto Networks); Winrar Exploits; Netscaler Exploits; OpenSSH Pushing PQ Crypto;
00:00

Erlang OTP SSH Exploits
A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed.
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/

WinRAR Exploited
WinRAR vulnerabilities are actively being exploited by a number of threat actors. The vulnerability allows for the creation of arbitrary files as the archive is extracted.
https://thehackernews.com/2025/08/winrar-zero-day-under-active.html

Citrix Netscaler Exploit Updates
The Dutch Center for Cyber Security is updating its guidance on recent Citrix Netscaler attacks. Note that the attacks started before a patch became available, and attackers are actively hiding their tracks to make it more difficult to detect a compromise.
https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid
https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler-flaw-cve-2025-6543-exploited-to-breach-orgs/

OpenSSH Post Quantum Encryption
Starting in version 10.1, OpenSSH will warn users if they are using quantum-unsafe algorithms
https://www.openssh.com/pq.html


Podcast Transcript

 Hello and welcome to the Tuesday, August 12, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. Well, ahead of Patch Tuesday, I do
 want to take a bit of a different spin here and talk
 about a couple of vulnerabilities that became
 known as being exploited the last couple of days. All of
 these vulnerabilities have patches available. So these
 are not strictly speaking zero days, but still some of these
 patches are relatively new. The first one here is the
 vulnerability in the Erlang OTP variant of SSH. OTP here
 stands for Open Telecom Platform, and that's where you
 often find this version of SSH. There is a number of
 Cisco devices that run Erlang OTP SSH. So those are the kind
 of devices where you have to be careful and that you must
 patch. When I talked about the patch and the vulnerability as
 it was released, the exploit is actually relatively
 straightforward. So no big surprise that it is being
 exploited in the wild. And Palo Alto here collected some
 of the evidence that they found and how it is being
 exploited in the wild right now. So definitely something
 that you must patch now. And if you have devices that are
 exposed that are using this version of SSH, well please
 make sure that you are also checking them for any existing
 compromise. Rotate password, rotate any seeds for two
 -factor authentication. Well another already exploited
 vulnerability is a vulnerability in Winnera or
 before version 7.12. This vulnerability was patched end
 of June and it's one of those classic decompression
 vulnerabilities where an attacker can create an archive
 that once it's being decompressed or extracted it
 creates files in unexpected locations by creatively
 selecting these locations and attacker is able to then
 potentially execute arbitrary code. Update WinRAR but this
 is one of those tricky ones where WinRAR also some of the
 components DLLs may be embedded, may be included in
 another software. So definitely inventory can be a
 bit of a challenge here. And the Dutch National Cyber
 Security Center has released some updates regarding Citrix
 vulnerability that was also patched end of June but
 actually had been exploited before the patch was released.
 This is your classic Citrix Netscaler issue. What they are
 pointing out here again is that attackers that are
 attacking this vulnerability are actively hiding their
 tracks. So you have to be really careful here to
 actually evict the attackers permanently from your systems.
 Remember all of the issues we had recently with some of the
 firewall compromise and such where it wasn't really clear
 if it was a new vulnerability or just sort of back doors or
 stolen credentials left behind from an old vulnerability.
 That's also by earlier mentioned when about the SSH
 vulnerability always change credentials, change seats for
 one-time factor or one-time passwords and two-factor
 authentication. And yeah definitely assume the system
 has been compromised if you see a vulnerable exposed
 system and the vulnerability has been known for a while or
 has known to be exploited for a while. And OpenSSH is
 doubling down on pushing post -quantum cryptography. Current
 versions of OpenSSH in use are usually 9.6, 9.9. Nothing
 wrong with these versions. They actually do support at
 least 9.9 already quantum safe encryption algorithms but they
 are doing so as an option not by default. Starting with
 OpenSSH 10 which I don't think is in any sort of major Linux
 distribution or such yet. These post-quantum
 cryptography algorithms have become the default and in 10.1
 which is just being released it now will warn you if you're
 using an algorithm that is not yet quantum safe. So this is
 an interesting push here by the OpenSSH project. They
 always have been a little bit sort of trying to be at the
 forefront of good crypto practices and nothing wrong
 with this. Just if you're seeing the warning it may not
 be possible for you to actually apply these
 algorithms if the server you're connecting to does not
 support them. And that depends of course on the version of
 OpenSSH running there. IoT devices and the like are often
 behind on SSH versions and there can sometimes be
 challenging and you may have to set up some exceptions
 where you're still using some weaker ciphers and key
 exchanges. Well and this is it for today. So thanks again for
 listening. Thanks for liking and subscribing to this
 podcast and talk to you again tomorrow. Bye.
 Bye. Bye.
 Bye.