Podcast Detail

SANS Stormcast Thursday, September 11th, 2025: BASE64 in DNS; Google Chrome, Ivantii and Sophos Patches; Apple Memory Integrity Feature

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9608.mp3

previous
Podcast Logo
BASE64 in DNS; Google Chrome, Ivantii and Sophos Patches; Apple Memory Integrity Feature
00:00

BASE64 Over DNS
The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these “invalid” characters.
https://isc.sans.edu/diary/BASE64%20Over%20DNS/32274

Google Chrome Update
Google released an update for Google Chrome, addressing two vulnerabilities. One of the vulnerabilities is rated critical and may allow code execution.
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html

Ivanti Updates
Ivanti patched a number of vulnerabilities, several of them critical, across its product portfolio.
https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs

Sophos Patches
Sophos resolved authentication bypass vulnerability in Sophos AP6 series wireless access point firmware (CVE-2025-10159)
https://www.sophos.com/en-us/security-advisories/sophos-sa-20250909-ap6

Apple Introduces Memory Integrity Enforcement
With the new hardware promoted in yesterday’s event, Apple also introduced new memory integrity features based on this new hardware.
https://security.apple.com/blog/memory-integrity-enforcement/

Podcast Transcript

 Hello and welcome to the Thursday, September 11th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Penetration Testing and Ethical Hacking. Well, today's
 diary was inspired by a story I covered last week about
 Botnet that used DNS for remote command and control,
 but they encoded the commands using base64. Didier today
 notice, well, hey, base64 actually contains a couple
 characters like the slash and the equal symbol that must not
 show up in DNS host names. So how did they actually do it?
 Well, it turns out as so often that sometimes things that
 aren't supposed to work still work under certain
 circumstances. And what didier found out is that, for
 example, nslookup, if some of these odd characters are being
 returned, well, it works just fine with nslookup. This is
 actually an important lesson that I often cover when I'm
 talking about web allocation security, that you can't
 really trust that protocols like DNS only return valid
 content. I think it was a few years ago I've written about
 this, and maybe I have to write about it again, because
 I'm not sure where it ended up. But for example, it is
 certainly possible to do things like SQL injection and
 cross-site scripting over DNS. If you're not careful in
 cleaning up and validating responses, you're getting back
 via DNS, very famously, Whois, of course. Now, that's just
 plain text. There are a number of Whois entries that have
 existed in the past with exploits in them. And yes, you
 know, whenever you get any content back from external
 systems, you have to make sure that their content actually
 matches the structure that you are expecting. We have a
 little bit of patch use to clean up to do, and that's
 usually about, well, patches that were released yesterday
 that we just didn't cover because of all the patches
 released by Microsoft and a couple others. First one I
 want to cover here is Google Chrome released an update
 fixing two security vulnerabilities, one of them
 being critical. And well, that's a use after free in
 service worker. So definitely a potential here for remote
 code execution. So definitely update. But Google Chrome, as
 I often say, is pretty good about updating itself. Make
 sure you restart Google Chrome once a day. And we got patches
 from Ivanti fixing a number of different products,
 essentially an entire sort of remote access style suite that
 they have, which includes Connect Secure, Ivanti Policy
 Secure, CTA Gateway, Neurons for Secure Access. So a number
 of different but similar somewhat products. The first
 vulnerability here, they call it missing authorization, and
 then describe it as allowing a remote authenticated hacker to
 hijack existing HTML5 connections. I believe they're
 talking here about web socket connections. They have been
 similar vulnerabilities before, and they have been
 exploited. So there are templates essentially
 available how to exploit these type of vulnerabilities, which
 makes it more likely that they actually will be exploited in
 the future. The second vulnerability here is a cross
 -site request forgery vulnerability in the same set
 of products. This particular one does allow a remote
 unauthenticated hacker to execute sensitive actions. So
 the way a cross-site request forgery attack usually works
 is that a logged-in victim, while they're still logged in,
 is visiting a site that the attacker controls. And then
 the attacker can essentially sort of remote control the
 browser and the performing actions on behalf of the
 victim. So these would be more targeted attacks. They're less
 likely going to be sort of widespread and sort of a big
 number of victim attacks. As a good measure, of course,
 logging out of sites is always a good thing. But we're
 talking here about the secure access products, where users
 legitimately may be logged in pretty much all day in order
 to interact with internal systems and such. And that
 logging out is not necessarily a valid countermeasure in this
 particular case. So patch, apply the updates, and
 hopefully, well, we won't see an exploit for any of these
 vulnerabilities too soon. And then we got Sophos releasing
 new firmware for its access points, the AP6 series. Well,
 fixing an authentication bypass vulnerability that
 they're considering critical. Definitely update, not a lot
 of detail available yet about what the exact authentication
 bypass vulnerability is all about in these access points.
 And then, well, also some good news from a defensive point of
 view. Yesterday, Apple, of course, released a lot of new
 hardware and such. But what they didn't mention that this
 also included a new security feature that's supported by
 this new hardware. They published this blog post to
 explain a little bit what's happening here. They call it
 memory integrity enforcement. And essentially what it does
 is it allows hardware and software to work together to
 make things like buffer overflows and memory
 allocation issues less likely to happen and to be
 exploitable. Looks interesting. It's also based
 on some prior work from others like, I believe, Google and
 such that have proposed similar things. They now made
 it work in their, again, latest hardware. It's not
 going to really affect any older devices. However, they
 already introduced some new constructs here, new APIs and
 such to basically make it easier to write memory safe
 code in Apple devices in general. And overall, what
 they're trying to fight here is somewhat of the high-end
 nation state like spyware and such that we often have seen
 infect particular mobile devices. So that's really what
 they're going after here. Well, and this is it for
 today. Thanks for listening. Thanks for subscribing. Thanks
 for recommending this podcast. Podcast. And that's it.
 Thanks. And talk to you again tomorrow. Bye.