SANS Stormcast Thursday, September 4th, 2025: Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9598.mp3

previous

next

Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Thursday, September 4th, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ulrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in Purple
 Team Operations. Our honeypots last couple days picked up
 some attacks for the Dassault DEMLIA Apriso software. Now
 you're probably not familiar with that. That's not
 necessarily sort of a household name, but it's a
 manufacturing operation management software. One of
 these complex packages that basically interface with your
 plant and your enterprise research planning system and
 allow you to sort of get a holistic view of a
 manufacturing process, sort of from the devices on the
 manufacturing line all the way to the bookkeeping. There have
 been a number of vulnerabilities in this
 software in recent month. This particular one that we see
 exploited is a deserilization vulnerability that was patched
 in June. There were a couple other remote code execution
 vulnerabilities that I didn't see so far being exploited.
 The advisories from Dassault are fairly minimal. It's sort
 of a little one-liners, essentially what the
 vulnerability is all about. Definitely if you're running
 this type of software, make sure you keep it patched. Not
 just this particular software from Dassault, but any sort of
 complex operation management software and such tends to
 have vulnerabilities, in particular deserilization
 vulnerabilities like this. We have seen them also often in
 ERP software. And yes, they are usually not easy to patch.
 So you want to stay ahead of that, not wait for the
 emergency, like now hearing that there is active
 exploitation of this vulnerability before you have
 to apply any patches for this type of software. And we got
 the monthly update for Android from Google. This is the
 September version of this update. Two vulnerabilities
 here. Both privilege escalation vulnerabilities are
 already being exploited. One of these vulnerabilities
 affects the Linux kernel. I believe that's a vulnerability
 that also has been discussed with respect to Linux in
 general. And then there's a second vulnerability in the
 Android system. There are, in addition to these privilege
 escalation vulnerabilities, additional vulnerabilities
 that can lead to remote code execution from what they're
 calling a network adjacent position. So not necessarily
 across the internet, but someone being sort of on the
 same Wi-Fi network or on the same LTE or cellular network
 that may also be exploitable this way. Well, as usual,
 update as these updates become available for your particular
 phone. And we have yet an interesting certificate event
 to talk about. This time it's a certificate for the IP
 address 1.1.1.1.1. This IP address is used by Cloudflare
 for its DNS service. So a certificate that is valid for
 this IP address may be useful to intercept DNS over HTTPS,
 DNS over quick connections to that IP address. The
 certificate authority that issued this certificate is
 FINA RDC. As far as I know, they're not universally
 trusted. However, they're trusted by Microsoft's Edge
 browser. This certificate was issued a few months ago. I
 think it says three months when it was first seen. It was
 properly added to certificate transparency logs, but only
 now was noted for some reason. Well, there are a lot of
 certificates in those logs. Also, it was added as an
 alternative name, which isn't quite as obvious. The main
 subject CN for the certificate was test1.hr. .hr is for
 Croatia. So it's their country top level domain. Given that
 it was test1.hr and test1.hr. It could be that this was just
 a test someone was running. Still not good that that
 certificate made it sort of through the server authority.
 But at this point, we don't know what the purpose of the
 certificate was. Just well, that it has been around and is
 probably still valid as of me recording this podcast. And
 this vulnerability I'm really just covering in part because
 it's sort of familiar. It hits a couple buttons with me. In
 the ESP IDF web server, an interesting authentication
 bypass happens by the web server only comparing as many
 characters as the user actually provides. So if you
 provide a short password like just the letter S, then only
 the first letter of the password S is compared. And
 with that, of course, you can primitively brute force
 passwords. ESPF IDF web server, if you're familiar
 with this, it's part of these little prototype boards and
 often use the home automation like where you have a little
 ESP CPU with some Wi-Fi, Bluetooth and such interfaces
 that allow you to automate some tasks. Well, a patch, of
 course, as usual, I'm not sure how many are exposing ESP home
 to the internet. Well, this is it for today. So thanks for
 listening. Thanks for liking. Thanks for subscribing. And as
 always, special thanks if you're leaving a comment in
 your favorite podcast platform. I think I haven't
 seen a new comments in a while in like Apple or Amazon
 particular. Not a lot of people are apparently
 listening to Alexa in the morning to this podcast. But
 anyway, that's it for today and talk to you again
 tomorrow. Bye.