Podcast Detail

SANS Stormcast Monday, July 13th, 2026: Progress Sharefile Shutdown; U-Boot Vuln; More Nightmare Eclipse; Cisco AI Response

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10004.mp3

Podcast Logo
Progress Sharefile Shutdown; U-Boot Vuln; More Nightmare Eclipse; Cisco AI Response
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Monday July 13th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Washington DC. This
 episode is brought to you by the SANS.edu Master's Degree
 Program in Information Security Engineering. If you
 are a user of the Progres Sharefile Server made by
 Progres Software, you probably received an email in the last
 couple days stating, and I quote here from the email, you
 must manually shut down the server hosting your storage
 zone controllers. This is a critical additional step to
 ensure the safety of your data. End quote. Essentially
 what they are saying is that if your Sharefile Storage Zone
 controller is exposed to the internet, there is a credible
 external security threat, as they are calling it, that
 targets these kind of systems. And yes, your best bet is to
 shut things down. And it also then states that you can
 expect to hear from us in the next 24 hours. Well, this
 email was sent more than 24 hours ago. So I'm not sure if
 anybody has received the email since then. At least I haven't
 seen anything publicly posted. There is nothing really on the
 Progres website. There is on the status website for
 Sharefile a note that there is an unresolved issue. But
 again, it's still marked as unresolved. So nothing really
 seems to be released here in terms of like a patch, a fix
 or a configuration update or anything like that. Remember
 that Progres software has been at the center of a number of
 significant ransomware incidents in the past. So
 certainly they have been targeted. And I would highly
 recommend that you follow their advice. And Biterly
 published a blog post with details regarding several
 vulnerabilities in the U-Boot bootloader. Now, U-Boot is a
 very popular bootloader. I see it a lot in networking
 equipment, IoT and the like. It's not necessarily as
 popular as some or as well known, I should say, as some
 of the less popular bootloaders that you sort of
 see in Linux and such like Krupp and the like. But still
 very important, very frequently used, but often
 used sort of more behind the scenes. Binerly found a number
 of vulnerabilities here. And the problem with a
 vulnerability in a bootloader is that essentially someone
 could then use invalid, corrupt, malicious operating
 system images and as a result sort of lead to a further
 permanent compromise of the system. I have to point out
 that Binerly here went the extra mile. They didn't just
 publish a blog post complaining about the
 vulnerabilities. They worked with the U-Boot maintainers.
 It's an open source project and even provided some patches
 for these vulnerabilities. So patches are available.
 Applying them will be a little bit tricky because usually you
 get it sort of as part of the device firmware. So you may
 have to wait here for the vendor to sort of step up and
 incorporate these patches into respective updates. Well, then
 we have the next chapter in the Nightmare Eclipse saga.
 Last week, Microsoft published a fix for the rogue planet
 vulnerabilities. This was a privilege escalation in
 Microsoft Defender. According to Nightmare Eclipse, there is
 a bug in that fix that allows the attacker to essentially
 just lock the entire disk. Basically, all the free space
 is being locked so that to any other process it appears that
 the data disk is full. Interesting vulnerability.
 Don't think it's all that terrible secure. Also,
 exploitation, while outlined in the post by Nightmare
 Eclipse, isn't terribly straightforward. Certainly
 something I think that one can live with in a fix that
 actually prevents approach escalation vulnerability. And
 I guess now it's up to Microsoft to provide the next
 round here in form of a fix for this vulnerability. Well,
 then Cisco is the latest vendor to join others in
 releasing patches more frequently. Reason of course
 is AI and the faster development lifecycle for
 exploits. So Cisco will now release patches twice a month
 on the second and fourth Wednesday of each month and
 still provide a seven day advance notice to customers.
 Well and that's it for today. Thanks for listening. Thanks
 for liking. Thanks for recommending and subscribing.
 And today I'll also be speaking here at Science Fire
 in DC at 7pm about some of the future ideas we are having
 with the Internet Storm Center, how to improve our
 honeypots with the use of AI. And I hope to see some of you
 there and thanks and talk to you again tomorrow. Bye.