Podcast Detail

SANS Stormcast Friday, May 15th, 2026: Website Fraud; Outlook Link Preview Bug; NGINX Vuln; Cisco 0-Day

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9934.mp3

previous
Podcast Logo
Website Fraud; Outlook Link Preview Bug; NGINX Vuln; Cisco 0-Day
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Friday May 15th, 2026 edition
 of the SANS Internet Stormcenter Stormcast. My name is
 Johannes Ullrich recording today from San Diego,
 California. And this episode is brought to you by the SANS
 .edu Graduate Certificate Program in Penetration Testing
 and Ethical Hacking. Well today we have actually two
 diaries to talk about. The first one comes again from one
 of our undergraduate interns. Joshua Nicholson is writing
 about how to inspect a website to see if it may be
 fraudulent. These are often these fairly cheap consumer
 goods websites that offer various items at a real good
 price but don't really look quite legit in part because of
 the design and the way the sites are created. So it's
 always a little bit difficult to figure out if they actually
 offer a valid product or if they are really just
 interested in scamming you. Well in this particular case
 Joshua offers a couple of hints that point to scam sites
 like for example where product images were stolen from eBay
 listings and the like. And also then sort of as the
 ultimate proof Joshua actually went ahead and got a specific
 credit card number with a very small limit of $5 and placed
 an order. And in some of these cases in some of these
 websites well the card was immediately multi charged
 multiple times from multiple vendors for various amounts
 that were not necessarily related to the cost of the
 item advertised on the site. So really good work and I
 think that's useful kind of a sort of test of quick sanity
 checks on a website to figure out if it may be legitimate or
 not. Now going all the way and actually trying to order
 something using some credit card number that's probably
 too much for most people but even the other hints are quite
 good in order to order to get a sort of do a quick triage on
 any deal that may look a little bit too good. And Jan
 came across an interesting bug or dare I say vulnerability in
 Outlook. Outlook if you are placing a message in the junk
 folder has the nice property of actually removing some of
 the formatting from the message making it a little bit
 easier to see what for example links are hiding. Now Jan did
 just that he had a spam message in the junk folder but
 apparently the links were not displaying at all basically
 the URL that the link linked to. The issue here apparently
 was that these links were missing the scheme or protocol
 so the HTTP colon slash slash prefix it just started with
 the hostname followed by the remainder of the URL. While
 these type of links are still working basically HTTPS is
 then used as a default protocol in this case when you
 click on the link. This does make a tagline invalid URL and
 it looks like Outlook in the junk folder will not display
 these URLs because they don't match the pattern that Outlook
 is expecting for the URLs. This could be a problem
 because users are getting used to looking at the junk folder
 to better figure out what a particular message may be
 attempting to accomplish whether it is a real message
 or spam or phishing as in this case. And without the URL
 being displayed correctly this of course is just getting more
 difficult. The researchers from AI code security company
 Depth First have released a blog post with details
 regarding four vulnerabilities in NGINX. These
 vulnerabilities were disclosed to F5 and today in sync with
 the release of the blog post F5 also released patches for
 NGINX. I already have seen some of these patches also hit
 major Linux distributions. There are four different
 vulnerabilities that Depth First has uncovered. One of
 them particular sticks out and this serves some attention.
 It's a heap based buffer overflow in the mod rewrite
 module and this vulnerability can lead to arbitrary code
 execution. One caveat here is that the proof of concept
 being released so far only works if ASLR, the address
 space layout randomization is not enabled. Usually for Linux
 distributions this is enabled so you have a little bit extra
 time left here until attackers are finding the actual exploit
 that also supports systems with ASLR. And Depth First
 stated that they believe this flaw is exploitable with ASLR
 enabled. It may however require a good number of
 requests to make the exploit work. So proof of concept is
 released. Proof of concept doesn't quite work with common
 Linux distributions but well only some changes are likely
 required to make it work with common Linux distributions.
 This is definitely one of those patches that you want to
 get a handle on probably before the weekend if
 possible. But I know it's not always that easy to update
 your web server but again major Linux distributions have
 patches available. And well if you're not running NGINX and
 you have some extra time this Friday there is also a new
 critical vulnerability that was patched by Cisco in the
 Catalyst SD-WAN controller. It's an off-vocation bypass
 vulnerability that got the distinction of a perfect 10.0
 CVSS score and yes it's already exploited in the wild.
 So definitely take a look at the advisory published by
 Cisco. They also have some guidance here as to what to do
 if you believe that you're compromised and no work around
 here other than applying the patch. Well this is it for
 today so thanks again for listening, thanks for liking,
 thanks for sharing this podcast with your friends. And
 there will be no podcast on Monday due to my travel
 schedule so talk to you again on Tuesday. Bye.