Podcast Detail

SANS Stormcast Tuesday, March 24th, 2026: Tax Scam to EDR Kill; Netscaler Patches; gRPC-Go Authz Bypass;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9862.mp3

previous
Podcast Logo
Tax Scam to EDR Kill; Netscaler Patches; gRPC-Go Authz Bypass;
00:00

From W-2 to BYOVD: How a Tax Search Leads to Kernel-Mode AV/EDR Kill
https://www.huntress.com/blog/w2-malvertising-to-kernel-mode-edr-kill

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

gRPC-Go Authorization bypass via missing leading slash in :path CVE-2026-33186
https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

Podcast Transcript

 Hello and welcome to the Tuesday, March 24th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today in
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. Well, in diaries today, Jim today has
 another win for allowing AI to do security reviews of your
 code. Jim has published numerous different forensics
 and reverse analysis tools as part of his GitHub repo. Well,
 he had it now security reviewed by Claude Code and
 has actually found a number of interesting vulnerabilities,
 some little bits of standard, like for example, in his mail
 analyzer, there was sort of a header injection issue. It was
 kind of interesting, but also some a little more subtle
 ones, like for example, time of check and time of use
 vulnerabilities. Well, if you're using any of Jim's
 tool, please update all the patches have been released to
 the GitHub repo. Let's start today a little bit with an
 awareness item. And while we are coming up here in the
 United States on the tax filing season, the deadline is
 April 15th. And with that, there's always an increase in
 scams attempting people to download software or reveal
 their information to websites claiming to be associated with
 tax filings. Well, this year, according to Huntress, there
 is one particular trick that they're seeing, and that's
 basically fake Google ads. So, well, the Google ads are
 actually real, but they're leading to malicious or fake
 products. And these products are like PDF fillers and
 things like that, that may come handy if you're trying to
 fill out a tax form. Also, some of these attacks are then
 redirecting users to fake browser updates. But what I
 found interesting is that they're not just simple, well,
 you know, let's download some software and steal some
 information or some basic phishing, as we have seen in
 the past. But they're also including bring your own
 vulnerable driver exploits, which basically means that
 they have the ability to kill endpoint protection software.
 So definitely a little bit of an escalation in the
 sophistication of the malware seen around these tax scams.
 Well, and then we have a couple of patches to talk
 about today. First of all, Citrix released updates for
 Netscaler ADC and Netscaler Gateway. Well, these products
 have often been a little bit problematic when it comes to
 security. And the latest update, there's one, I think,
 that particular sort of concerns me. And this is an
 out-of-bounds read. It does not require any authentication
 to be exploited. However, it does require that Citrix ADC
 or Citrix Gateway is configured as a SAML identity
 provider. They don't really go into details what you could do
 with an out-of-bounds read. But typically, there is some
 kind of memory leak. And given that it does affect the SAML
 component, there's certainly a chance that maybe assertions
 being sent to another user or so can be retrieved here. And
 again, this does not require any authentication. CVSS score
 of 9.3. The second vulnerability does require
 that the appliance is configured as a VPN. It's not
 really that critical, in my opinion. Also, CVSS score only
 7.7. It's a race condition where user sessions could be
 mixed up. Race conditions tend to be tricky to exploit. And
 again, no detail here how difficult this exploit may be
 in this particular case. And then we've got an interesting
 vulnerability in Go, in particular, in the Golang gRPC
 Go server. So this allows you to basically implement APIs in
 Go. Now, when you're using HP2, the URL is not
 transmitted as sort of an HP 1 .1 with sort of the start
 line. Instead, there is a special path header that is
 being used as part of the URL. And that path header should
 start with a slash. Well, turns out that Go is not
 really all that picky and does accept paths that don't start
 with a slash. It still maps them correctly. But now you
 have sort of a disconnect between what is actually then
 being served and what access control rules are considering
 the valid path. So this can then lead to authorization
 bypass. And certainly an interesting vulnerability,
 something that's probably easy to exploit in many cases. And
 yes, if you are using gRPC Go, definitely make sure that you
 update your application quickly. Well, and that's it
 for today. Thanks for listening. Thanks for liking.
 And special thanks to all of those who ever sort of tell
 me, well, I missed a particular vulnerability that
 I should have covered or I, well, covered one that really
 wasn't that important. So any feedback like this is always
 welcome and talk to you again tomorrow. Bye.