SANS Stormcast Wednesday, October 22nd, 2025: NTP Pool; Xubuntu Compromise; Squid Vulnerability; Lanscope Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9666.mp3

previous

NTP Pool; Xubuntu Compromise; Squid Vulnerability; Lanscope Vuln;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, October 22, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Incident Response. I mentioned yesterday talking about the
 compromise of the Chinese standard time servers that we
 have been collecting data about pool.ntp.org. These are
 the NDP servers that are basically an open project.
 Everybody can contribute their time server to it to make it
 easy to synchronize your time. And a lot of systems, in
 particular Linux systems, tend to use these NDP servers as
 their default. Now, took some time today to go over the data
 that we have collected just to see how accurate those time
 servers are. And it turns out they are very accurate. I had
 to use a double logarithmic scale to really show anything
 here but a real tight spike. Most of these, and we're
 talking here about more than 90% of the servers have an
 accuracy of less than 10 milliseconds. And pretty much
 all of them are less than 100 milliseconds. So, that
 certainly is sufficient for most sort of small business,
 home networks and the like to synchronize your time. And
 again, remember there are two parts to it. This is the
 synchronization to the external time standard. And
 then, of course, you also have your internal synchronization.
 The other thing here is you can contribute your own time
 server if you want to. But they put a little bit of
 warning out here that once you commit to it, you should
 better stick to it. Because, well, people will keep
 querying your time server even if they can't reach it. Also
 added a link to the feed that we have. Basically, you can
 look at the data yourself and check it out and see if you
 see any oddities or such in this data. But also having a
 list of NDP servers, these public NDP servers, can be
 handy because you will see some of your systems reaching
 out to these IP addresses. And I've seen in the past where
 firewalls sort of blocked the responses if there aren't
 really all that great in handling UDP statelessness.
 And that can sometimes cause some false positives. So easy
 then to discriminate against these false positives if you
 have this list of NDP servers, Andy. This weekend on Sunday,
 the ex-Ubuntu website was compromised. And download
 links did point to malicious software. This malware was,
 well, as often we were really lucky here. It was relatively
 basic malware. Apparently, some kind of crypto coin
 jacker that copies crypto coin addresses from the clipboard.
 It makes itself persistent via registry entry. So nothing
 really all that special. And antivirus often did alert on
 this malware. So by now, I would think that antivirus
 pretty much has taken care of it. And there wasn't really
 sort of, as far as I've seen, anything more malicious or
 more sophisticated behind this malware. There's no official
 statement yet from the Xubuntu website. They just
 disabled the download links for now. There is, however, a
 statement from Sean Davis, who is one of the maintainers here
 of Xubuntu, stating that they suspect or know that it's
 some kind of WordPress compromise. And they're sort
 of waiting a little bit on Canonical, the company behind
 Ubuntu, to resolve this issue. The main Ubuntu site download
 was not affected by this. So this was just Xubuntu. I
 have no real idea how popular that is compared to the
 official Ubuntu distribution. So whether or not people
 prefer Xubuntu, I doubt it. I think it's probably at least
 an order of magnitude or so less downloads than Ubuntu
 itself. Either way, if you downloaded Xubuntu this
 weekend and the entire compromise stretched for about
 12 hours, I believe, on Sunday, you should double
 check that you downloaded the right thing. And then, you
 know, if you sort of manage a larger network, maybe go a
 little bit hunting and see if anybody downloaded this
 malware this weekend. Then let's talk about a couple of
 vulnerabilities. First of all, SQUID, the proxy web server.
 Well, it suffers from an information disclosure and
 error handling. No idea why this was assigned a CSS score
 of 10. Again, that certainly sounds inflated. Not a lot of
 details here. But what usually happens in these kind of
 vulnerabilities is that if you configure the default error
 messages, if the user triggers an error, things like headers,
 which may include authentication cookies and
 such, are being echoed back as part of the body of the page,
 which then, of course, can be accessed because now you're no
 longer restricted by things like HTTP only or other
 properties that may prevent JavaScript access and such to
 the value of these cookies. So, yes, you want to address
 this. It's not a 10. I would say probably something like a
 7 or such, depending on how you exactly are able to
 trigger this vulnerability. And then we have a
 vulnerability notice for Lanscope. Endpoint Manager
 affects the on-premise solution. A single malformed
 network packet may lead to arbitrary code execution due
 to this vulnerability. And apparently this vulnerability
 is already being exploited. So, something that you must
 patch quickly. And well, that's it for today. So,
 thanks for listening. Thanks for liking and recommending
 this podcast. And talk to you again tomorrow. Bye.