Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9444.mp3

SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
No Internet Access: SSH to the Rescue
If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPN
https://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932
SAMSUNG magicINFO 9 Server Flaw Still exploitable
The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild.
https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw
Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption
SentinelOne’s installer is vulnerable to an exploit allowing attackers to shut down the end point protection software
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
Commvault Still Exploitable
A recent patch for Commvault is apparently ineffective and the PoC exploit published by watchTowr is still working against up to date patched systems
https://infosec.exchange/@wdormann/114458913006792356
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Friday, May 9th, 2025 edition of the SANS Internet StormCast. My name is Johannes Ullrich and today I'm recording from San Diego, California. Well, Xavier is on a roll and we got another diary from Xavier. This time a little SSH trick. The problem here was that Xavier was provided with a system that only was accessible via SSH. It had no outbound connectivity. That was all blocked by the firewall and Xavier still had to basically reach out to a couple of websites to download additional tools. This quick solution here was, well, it just used the existing SSH tunnel to connect back to an HTTP proxy and from there, of course, back to the world. All you need with SSH is one single connection and then you can use it to forward ports and basically tunnel additional traffic. There's actually sort of another thing that I've used in the past a couple of times where you just run a point-to-point connection over SSH. That gives you essentially a complete VPN via SSH. Not quite as reliable as other VPN solutions. That's why I haven't really lately been using it much. But in a pinch, if all you have is SSH, that's certainly quite useful. And I've run into situations, for example, while traveling, where hotel or conference center networks were quite restricted. And, well, then something like this is sometimes saved the day. Well, then last week I wrote about exploits of a Samsung Magic Info 9 vulnerability. And back then I stated that, well, this vulnerability was actually patched back last August. Huntres Lab today published a blog post stating that the patch back from August probably didn't work or that there is a second very similar vulnerability. Either way, even fully patched copies of Samsung Magic Info 9 are still exploitable against the proof of concept that was published and that the exploit attempts that we have seen are based on. So if you're using Samsung Magic Info, which is typically used to manage the content on Samsung advertisement signage displays, well, better make sure that your install of Magic Info is not accessible from the Internet. I'm not sure if it's possible to just shut it down while you're not making any changes. But either way, the current latest version of the software is currently being exploited by botnets like Mirai. When it comes to endpoint detection and response systems, there is an ongoing battle between attackers and defenders where attackers are attempting to corrupt or disable the endpoint detection and response system. Now, there is a new exploit that has now been seen in the wild being used against Sentinel-1 doing just that. This was observed by Aeon and they observed this as part of their incident response practice. The trick that the attacker exploited here was against Sentinel-1 that Sentinel-1's upgrade process apparently wasn't properly protected. So by disabling and corrupting the update process, it was actually then possible to disable the endpoint protection on a particular host. Sentinel-1 has published some guidance about how to protect yourself from this particular attack. So if you're using Sentinel-1, take a look at the Aeon blog and see how to apply these protections. Well, then we have another incomplete patch to report about. ComVault, I think about two weeks ago, they patched a vulnerability. watchTowr came up with a great write-up of the vulnerability, including proof -of-concept exploits. Well, Will Dorman is now reporting that he tried that proof-of -concept exploit against a fully patched version of ComVault and apparently it still works. So double-check your backup systems and make sure that you have them isolated. I haven't seen anything yet about a new updated patch for this particular software. Well, this is it for today. So thanks for listening and talk to you again on Monday. Bye.