Podcast Detail

SANS Stormcast Wednesday, October 1st, 2025: Cookie Auth Issues; Western Digtial Command Injection; sudo exploited;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9636.mp3

Podcast Logo
Cookie Auth Issues; Western Digtial Command Injection; sudo exploited;
00:00

Sometimes you don’t even need to log in
Applications using simple, predictable cookies to verify a user’s identity are still exploited, and relatively recent vulnerabilities are still due to this very basic mistake.
https://isc.sans.edu/diary/%22user%3Dadmin%22.%20Sometimes%20you%20don%27t%20even%20need%20to%20log%20in./32334

Western Digital My Cloud Vulnerability
Western Digital patched a critical vulnerability in its “MyCloud” device.
https://nvd.nist.gov/vuln/detail/CVE-2025-30247

sudo vulnerability exploited
A recently patched vulnerability in sudo is now being exploited.
https://www.sudo.ws/security/advisories/

Podcast Transcript

 Hello and welcome to the Wednesday, October 1st, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Purple
 Team Operations. When teaching our defensive web application
 security class, SEC 522, one of the things of course that
 always comes up is mistakes in authentication and access
 controls. And one of the examples that is always
 mentioned here are, well, simple cookies like a user
 equals admin. So I wanted to put this to the test to see
 how relevant this issue still is and looked at some of our
 honeypots and what kind of cookies like this we are
 seeing in the honeypot and well, how often they're
 exploited. Certainly exploited quite a bit and the exploits
 or the vulnerabilities being associated with these
 particular cookies are actually not that super old.
 Like the first one here UID equals one goes with DVR
 vulnerability that was originally described about a
 year ago. You also have this user equals admin a little bit
 older. Many of these of course are IoT style vulnerabilities.
 So DVRs and wireless access points, routers and the like.
 There are a couple interesting ones like there is the admin
 ID equals one, GW admin ticket equals one. I believe that one
 was from a Chinese VPN that apparently can be administered
 using this particular cookie. And then we also have the CMX
 saved ID cookies. These are actually apparently associated
 with a biometric security system. So yes, these
 vulnerabilities are still relevant that they're still
 relatively recent vulnerabilities that are
 following this patterns where essentially setting a simple
 cookie will give you admin access to a system. And
 talking about simple IoT devices, we do have an
 advisory and patch from Western Digital for its
 MyCloud devices. The firmware prior to 531.108 does suffer
 from arbitrary command injection vulnerability.
 Simple HTTP post request, which is actually one of these
 type of requests that also matches the prior story. So
 wouldn't be that surprising if it would be a simple cookie or
 so that you would need an order to trigger this
 vulnerability. But the actual payload would be part of the
 post request does not appear to take any kind of
 authentication to execute. However, the details regarding
 this particular vulnerability are very slim and Western
 Digital's advisory is pretty much useless. Just pointing to
 the NVD entry, which is what I'll be using in the show
 notes and maybe there will be some more useful links there
 in the future. So patch your devices and these network
 storage devices, please never really connect them to the
 internet. Only access them via VPN or from your local network
 in order to minimize your footprint. And the
 vulnerability in sudo is now officially being exploited
 with the vulnerability being added to CISA's catalog of
 known exploited vulnerabilities. It wasn't
 really a big surprise. It wasn't really a big surprise
 and I mentioned it back when the vulnerability came out.
 The vulnerability isn't that terribly difficult to exploit.
 It uses the dash capital R or change root parameter in sudo.
 It's a privilege escalation vulnerability. I usually don't
 really talk much about privilege escalation
 vulnerabilities, but in this case, well, keeping privileges
 apart, that's really all sudo has to do. So certainly a
 critical vulnerability as far as sudo is concerned. Patches
 have been made available for all the distributions that I
 have checked and many of them, like for example, some recent
 Red Hat versions and such did not run one of the vulnerable
 versions, which is 1.9.14 through 17. So those versions
 were the only ones affected by this vulnerability. Well, and
 that's it for today. Thanks for listening. Thanks for
 liking and subscribing to this podcast and talk to you again
 tomorrow. Bye.