Podcast Detail

SANS Stormcast Friday, January 23rd, 2026: Scanning AI Code; FortiGate Update; ISC BIND DoS; Trivial SmaterMail Vulnerability

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9778.mp3

previous
Podcast Logo
Scanning AI Code; FortiGate Update; ISC BIND DoS; Trivial SmaterMail Vulnerability
00:00

Is AI-Generated Code Secure?
Xavier used the free static code analysis tool Bandit to review code he wrote with heavy AI support.
https://isc.sans.edu/diary/Is%20AI-Generated%20Code%20Secure%3F/32648

Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts
Arctic Wolf summarized some of the attacks it is seeing against FortiGate devices via the insufficiently patched SSL vulnerability.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/

ISC BIND DoS vulnerability in Drone ID Records
HHIT and BRID records, which are used as part of Drone ID, can be used to crash named if their length is 3 bytes.
https://marlink.com/resources/knowledge-hub/isc-bind-vulnerability-discovered-and-disclosed-by-marlink-cyber/

SmarterTools SmarterMail Password Reset Vulnerability
SmarterTools recently patched a trivial vulnerability in SmarterMail that would allow anybody without authentication to reset administrator passwords.
https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/

Podcast Transcript

 Hello and welcome to the Friday, January 23rd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 industrial control system security. And I mentioned
 yesterday, but we are currently looking for people
 to fill in our SOC survey. So if you haven't gotten around
 to it yet, a link to it can be found on the Internet Storm
 Center's homepage. Well, Xavier today looked at a new
 tool, Bandit. Bandit is a tool that allows you to static code
 analysis of Python scripts. Xavier writes a lot of Python
 and lately also a lot of Python with AI. And there's of
 course a lot of issues that people run into when they are
 using AI for coding. And this particular case, it's a script
 that Xavier wrote. It's about a thousand or so lines long.
 So a pretty good size for a Python script. And he looked
 at Bandit to give an idea whether or not the script is
 reasonably secure. Well, it turned out it was actually
 reasonably secure. It had some minor issues, but then of
 course, all depends, as Xavier points out, how the particular
 script is used, whether or not these issues matter. A lot of
 the static code analysis is sometimes a little bit
 mechanical in that sense. When it comes to using AI tools
 like to wipe coding, as it's often referred to, one of the
 important things, first of all, is that you design your
 prompt correctly. And Xavier gives you some hints there in
 how to do that and what to look for here. And in my
 personal experience, it also helps a lot if you actually
 know how to code and use AI sort of more as an assistant
 versus having it code all of the code by itself. That way,
 sort of do a little bit of review anyway, as you're
 checking what the AI tool created for you. And that also
 usually helps with a lot of logic flow issues and such,
 and some of the less mechanical vulnerabilities
 that a tool like this may not find. And then we have a quick
 update about the recent hacks against FortiGate devices. I
 mentioned that yesterday that the old patch that was
 released in December for the single sign-on vulnerability
 apparently wasn't quite good enough and is still being
 exploited. Arctic Wolf now did summarize its observations in
 that matter. And what they found is that, yes, this is
 definitely a problem. And attackers are using this
 particular vulnerability to exfiltrate the configurations
 of devices. So if you are affected, you must reset your
 credentials that you're using to access the device. And yes,
 then again, the workaround that was published back in
 December still applies and is still something that you
 probably must deploy. I haven't seen anything yet from
 Fortinet. I just looked before starting to record this
 podcast. But take a look and see if by the time you're
 listening to this, there is something from Fortinet. A
 little bit late in that sense, because this is now going on
 for at least two days, in the sense that it has become
 public. And the attacks apparently have sort of never
 really been, have never stopped really since December
 when they were originally spotted. Well, and then we
 have an interesting denial of service vulnerability in the
 ISE bind name server. This vulnerability is something
 that I initially didn't really plan to cover because it's
 just a denial of service vulnerability. But there's an
 interesting spin to it, which sort of caught my attention.
 And that's the record types being affected here. There are
 two records types. One is the HHIT record. Then we have the
 DRID record or BRID record. Record types you probably
 haven't really heard about unless you're dealing with
 drones. So these record types are part of the DRIP, the
 drone ID system. If you're somewhat familiar with drone,
 you may know that some drones are broadcasting or beaconing
 an ID value. And this DNS extension allows you to
 essentially use DNS to then look up additional information
 based on this ID. And these IDs are, well, conveniently
 128 bits, which kind of makes them IPv6 addresses. And
 there's even an IPv6 prefix set aside for these IDs. The
 vulnerability is actually relatively straightforward to
 exploit. All you need is one of those BRID or HHIT records
 with a length of three bytes. They're usually longer. And
 that will cause the named name server to outright crash. So
 exploitation is pretty straightforward. And even if
 you don't specifically support these records, well, the name
 server supports them. So all NetHacker needs to do is
 somehow trick your name server into looking up one of those
 record types. And we got an almost funny vulnerability
 here. A smarter tool's smarter mail. Well, they may be smart,
 but they're not secure. And watchtower wrote up a recently
 patched vulnerability in smarter mail that affects
 their password reset API. The vulnerability almost looks
 like a backdoor. If you are an administrator and if you are
 resetting an administrator's password, you do not need to
 provide the old password to the API. So completely without
 authentication, you may change the administrator's password.
 Interestingly, if you are a normal user, then the old
 password is required in order to reset the password via the
 API. So very weird authentication vulnerability
 here that then leads to anybody being able to reset
 the administrator's password without any authentication.
 Well, and that's it for today. So thanks again for listening.
 Thanks for liking. Thanks for subscribing to this podcast.
 And talk to you again on Monday. Bye.
 Bye.