Handler on Duty: Jesse La Grew
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, October 1st, 2025: Cookie Auth Issues; Western Digtial Command Injection; sudo exploited;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9636.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Sometimes you don’t even need to log in
Applications using simple, predictable cookies to verify a user’s identity are still exploited, and relatively recent vulnerabilities are still due to this very basic mistake.
https://isc.sans.edu/diary/%22user%3Dadmin%22.%20Sometimes%20you%20don%27t%20even%20need%20to%20log%20in./32334
Western Digital My Cloud Vulnerability
Western Digital patched a critical vulnerability in its “MyCloud” device.
https://nvd.nist.gov/vuln/detail/CVE-2025-30247
sudo vulnerability exploited
A recently patched vulnerability in sudo is now being exploited.
https://www.sudo.ws/security/advisories/
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, October 1st, 2025 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Purple Team Operations. When teaching our defensive web application security class, SEC 522, one of the things of course that always comes up is mistakes in authentication and access controls. And one of the examples that is always mentioned here are, well, simple cookies like a user equals admin. So I wanted to put this to the test to see how relevant this issue still is and looked at some of our honeypots and what kind of cookies like this we are seeing in the honeypot and well, how often they're exploited. Certainly exploited quite a bit and the exploits or the vulnerabilities being associated with these particular cookies are actually not that super old. Like the first one here UID equals one goes with DVR vulnerability that was originally described about a year ago. You also have this user equals admin a little bit older. Many of these of course are IoT style vulnerabilities. So DVRs and wireless access points, routers and the like. There are a couple interesting ones like there is the admin ID equals one, GW admin ticket equals one. I believe that one was from a Chinese VPN that apparently can be administered using this particular cookie. And then we also have the CMX saved ID cookies. These are actually apparently associated with a biometric security system. So yes, these vulnerabilities are still relevant that they're still relatively recent vulnerabilities that are following this patterns where essentially setting a simple cookie will give you admin access to a system. And talking about simple IoT devices, we do have an advisory and patch from Western Digital for its MyCloud devices. The firmware prior to 531.108 does suffer from arbitrary command injection vulnerability. Simple HTTP post request, which is actually one of these type of requests that also matches the prior story. So wouldn't be that surprising if it would be a simple cookie or so that you would need an order to trigger this vulnerability. But the actual payload would be part of the post request does not appear to take any kind of authentication to execute. However, the details regarding this particular vulnerability are very slim and Western Digital's advisory is pretty much useless. Just pointing to the NVD entry, which is what I'll be using in the show notes and maybe there will be some more useful links there in the future. So patch your devices and these network storage devices, please never really connect them to the internet. Only access them via VPN or from your local network in order to minimize your footprint. And the vulnerability in sudo is now officially being exploited with the vulnerability being added to CISA's catalog of known exploited vulnerabilities. It wasn't really a big surprise. It wasn't really a big surprise and I mentioned it back when the vulnerability came out. The vulnerability isn't that terribly difficult to exploit. It uses the dash capital R or change root parameter in sudo. It's a privilege escalation vulnerability. I usually don't really talk much about privilege escalation vulnerabilities, but in this case, well, keeping privileges apart, that's really all sudo has to do. So certainly a critical vulnerability as far as sudo is concerned. Patches have been made available for all the distributions that I have checked and many of them, like for example, some recent Red Hat versions and such did not run one of the vulnerable versions, which is 1.9.14 through 17. So those versions were the only ones affected by this vulnerability. Well, and that's it for today. Thanks for listening. Thanks for liking and subscribing to this podcast and talk to you again tomorrow. Bye.