Podcast Detail

SANS Stormcast Wednesday, August 27th, 2025: Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9588.mp3

previous
Podcast Logo
Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited;
00:00

Getting a Better Handle on International Domain Names and Punycode
International Domain names can be used for phishing and other attacks. One way to identify suspect names is to look for mixed script use.
https://isc.sans.edu/diary/Getting%20a%20Better%20Handle%20on%20International%20Domain%20Names%20and%20Punycode/32234

Citrix Netscaler Vulnerabilities CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424
Citrix patched three vulnerabilities in Netscaler. One is already being exploited
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424

git vulnerability exploited (CVE-2025-48384)
A git vulnerability patched in early July is now being exploited
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9

Podcast Transcript

 Hello and welcome to the Wednesday, August 27th, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ulrich, recording today from
 Baltimore, Maryland. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in Cloud
 Security. In Diaries today I wrote a little bit about good
 old international domain names, IDNs and Punicode.
 Punicode is used to encode non -ASCII characters in domain
 names and well there are sort of some interesting detections
 that you can perform on these domain names. Of course one of
 the risks of these domain names is that they're being
 used in phishing and one particular issue here is if
 you do have domain names that use characters from different
 languages. And I recently sort of was working a little bit
 with our new domain name system where we're looking for
 suspicious domains on some ways to better do this. So I'm
 publishing here a Python script I'm using to accomplish
 this. Essentially the idea is it's not quite easy to
 actually identify a language a particular character that
 belongs to. If you think for example about the normal ASCII
 character set there is a number of different languages
 that can be expressed with the normal ASCII character set.
 However what Unicode identifies is a so-called
 script. A script is essentially a group of
 characters being used in certain languages like you
 know for example Cyrillic or Latin which is what's usually
 sort of known as the ASCII character set. And just by
 looking at the mix of scripts for example you're able to
 identify for example an Asian character being used as part
 of a domain name that's otherwise just using Latin
 script. So likely English or European languages. So this is
 easily expressed in a little python script and well if you
 check out the diary post you'll see a link to the
 github repo which contains this very brief and simple
 python script. And Citrix today released a bulletin and
 patches for Netscaler ADC. These patches are addressing
 three different vulnerabilities. The most
 severe one with a CVSS base score of 9.5, is a memory
 overflow vulnerability and apparently is already being
 exploited in the wild in order to deploy web shells and other
 malware. So certainly must be patched and now you're
 vulnerable if Netscaler is configured as a gateway or as
 a AAA virtual server. The second vulnerability is also a
 memory overflow. The third one is an improper access control
 vulnerability that allows access to the Netscaler
 management interface. The last one is the least risky one
 according to the CSS score with a base score of 8.7. So
 in particular with the first one already being exploited
 you certainly must patch this now. And talking about already
 exploited vulnerabilities, CISA also added a recently
 patched git vulnerability to its already exploited
 vulnerability catalog. This particular vulnerability is an
 interesting sort of parser issue when it comes to the git
 configuration file where essentially carriage returns
 at end of lines can be lost which can then lead to
 different lines being merged which can be exploited if a
 victim checks out a submodule and then due to this
 particular problem the paths essentially where this
 submodule is being checked out in are being corrupted which
 can then lead to writing files that later can be executed.
 Interesting that this vulnerability is being
 exploited and so far only marked now as being exploited
 since a proof of concept exploit has been around for a
 while now. The vulnerability was patched beginning of July
 and I would expect all the Linux distributions and such
 having updated packages available. And well I guess
 since today's theme apparently is already exploited or soon
 to be exploited vulnerabilities the last one I
 have here is recently Docker desktop for Windows did
 publish a container breakout of vulnerability. Well uh we
 now have a proof of concept and a write-up about this
 particular vulnerability. The root cause here is really sort
 of a server-side request forgery issue that can be used
 to reach out to the internal API which does not require
 authentication and can then lead to that execution of code
 on the host. Interesting a vulnerability actually and I
 think these server-side request forgery
 vulnerabilities are often underestimated and it's a nice
 example how a simple unauthenticated internal API
 can lead to additional problems here. Well and this
 is it for today so thanks again for listening and talk
 to you again tomorrow. Bye!