SANS Stormcast Thursday, August 14th, 2025: Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9570.mp3

previous

Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, August 14th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Purple
 Team Operation. Yesterday, we talked about new Microsoft
 patches. Well, sadly, all vulnerabilities appear to be
 still around, at least around enough for attacks to still
 take advantage of them. Xavier came across this little bit
 odd Excel spreadsheet. The extension is .xlam, which
 usually hints at like a macro file. But macros were not the
 problem here. Instead, it just exploited an old 2017
 vulnerability, the good old equation editor vulnerability.
 So apparently, it's still enough of it around in order
 for attackers to still give it a try ever so often. As Xavier
 points out, he keeps an old virtual machine around just
 for that purpose. I think in most corporate environment. I
 hope it's not that easy to find that these old systems
 still running. But, well, I have been surprised before.
 The payload here is then essentially just triggering a
 download of an executable that is being run on the victim's
 system. And this executable is an information stealer that
 then exfiltrates data via email directly to an
 attacker's mail server. Another sort of not super
 common technique given that outbound email via random mail
 servers is often blocked. So maybe more something going
 after home users or the like versus more enterprise users.
 And talking about vulnerabilities and
 Microsoft's Patch Tuesday, there's one quick add-on here
 that I didn't point out yesterday. And that's that the
 one already publicly known vulnerability. Well, this was
 the vulnerability of the exchange server in hybrid mode
 where an attacker with admin access to the exchange server
 could attack other parts of the infrastructure, in
 particular your domain controller. Apparently, the
 root cause here is a directory traversal issue in Kerberos.
 And Binaryly published an interesting report about the
 XZ Utils backdoor. If you remember, this was March last
 year that this backdoor was discovered. It was a very
 interesting sort of case about open source security and some
 interesting social engineering. Well, luckily,
 back then, the backdoor was found pretty quickly. So there
 wasn't really any major harm done. At least the harm was
 somewhat limited. Well, what Binaryly now found is that
 this particular XZ Utils backdoor is still present in
 some Docker images that are distributed by the official
 Docker Debian account. Debian Linux was the distribution
 affected by this backdoor. That's sort of why this
 happened. There's some controversy between Binaryly
 and the Debian maintainers here, whether or not these
 affected images should be removed from the Docker hub.
 Well, Binaryly's argument is, well, obviously, there's a
 backdoor in these images. And people typically trust images
 being distributed by Debian on their official Docker account.
 Debian's argument is, well, it's really just a
 vulnerability like anything else. The affected images are
 not currently supported images. They're really just
 maintained sort of for archive purposes. And since this
 backdoor is really just a vulnerability, they're not
 going to remove them. And as sort of an example, they
 pointed out that old versions of Debian that, for example,
 are suffering from the heartbleed vulnerability are
 also still available for download. Overall, of course,
 most vendors or many vendors make old vulnerable images
 available for download or software available for
 download, not just via Docker hub, but also their official
 software distribution websites. Sometimes for
 researchers, this is quite useful to be able to find
 these old vulnerable software versions. If you try to, for
 example, experiment with a particular exploit. On the
 other hand, of course, there is sort of this attitude that,
 hey, if it comes from Docker, it's official. It must be free
 of malware. And the XEUtils, that backdoor certainly, well,
 qualifies more as malware than a normal vulnerability, even
 though a CVE number was assigned to it. So lesson
 learned here. Be careful what you download from Docker Hub.
 Make sure you're downloading currently supported versions
 of images, not just any image from a trustworthy account.
 And of course, there's always the chance that things like
 that will end up in images derived from these vulnerable
 images. So it's not just that the Debian images are
 affected, but any images that use them as their base are
 possibly infected as well. And then we do have two critical
 vulnerabilities in Fortinet devices. I would rate them
 sort of as patch. Now, this first one here is essentially
 an authentication bypass vulnerability in FortiWeb.
 There are already proof of concept exploits out there. So
 assume this being exploited. The second vulnerability, also
 published yesterday, is a vulnerability in FortiSIEM. And
 it allows for an unauthenticated OS command
 injection vulnerability. So both of these critical, both
 of these essentially exploit the wild. Like for the first
 one, we do have exploit code public. For the second one,
 the FortiSIEM vulnerability, Fortinet states as part of the
 advisory that they have found exploit code in the wild,
 taking advantage of this vulnerability. So definitely
 both of them must patch now. Well, and that's it for today.
 So thanks for listening and talk to you again tomorrow.
 Bye.