Podcast Detail

SANS ISC Stormcast Jan 31st 2025: Old Netgear Vuln in Depth; Lightning AI RCE; Canon Printer RCE; Deepseek Leak;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9304.mp3

previous
next
Podcast Logo
Old Netgear Vuln in Depth; Lightning AI RCE; Canon Printer RCE; Deepseek Leak;
00:00

PCAPs or It Didn't Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary]
https://isc.sans.edu/diary/PCAPs%20or%20It%20Didn%27t%20Happen%3A%20Exposing%20an%20Old%20Netgear%20Vulnerability%20Still%20Active%20in%202025%20%5BGuest%20Diary%5D/31638

RCE Vulnerablity in AI Development Platform Lightning AI
Noma Security discovered a neat remote code execution vulnerability in Lightning AI. This vulnerability is exploitable by tricking a logged in user into clicking a simple link.
https://noma.security/noma-research-discovers-rce-vulnerability-in-ai-development-platform-lightning-ai/

Canon Laser Printers and Small Office Multifunctional Printer Vulnerabilities
Canon fixed three different vulnerablities affecting various laser and small office multifunctional printers. These vulnerabilities may lead to remote code execution, and there are some interesting exploit opportunities
https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers

Deepseek ClickHouse Database Leak
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak

Podcast Transcript

 Hello and welcome to the Friday, January 31st, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 edition of the SSANS Internet Storm Center's Stormcast. My
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. In today's diaries we have a deep
 dive by David Watson, one of our undergraduate interns,
 into an older Netgear vulnerability, good old DGN
 2200 V1 and DGN 1000 versions. These routers are no longer
 supported but what's always surprising is how many attacks
 we're seeing for these particular vulnerabilities. So
 David took a closer look and actually did a real nice deep
 dive into these vulnerabilities, how they
 exactly work and how they are being exploited. Real neat
 here, even though the vulnerability itself of course
 is well known, still it's out there and a good reminder.
 Keep patching your routers, as I always say, once a month.
 Put a note in your calendar, check if your router firmware
 is up to date. And yes, the real big problem here is that
 some of these devices are end of life and that's sometimes
 actually real difficult to detect or even realize that
 your device no longer receives any updates. That's hopefully
 one of the things that this new cybersecurity label that's
 supposed to come out is going to fix because it's part of
 that specification. Routers are supposed to provide
 basically some kind of end of life date and indicator when
 the router will no longer be updated. And VMware patched
 five different vulnerabilities in VMware area operations as
 well as area operations for logs. The CVE numbers of some
 of them may be a little bit on the low side. In particular,
 one that's a broken access control vulnerability that
 does allow a normal user to execute commands as an
 administrator. Only has a 4.3. The highest CVSS score
 actually here is an information disclosure
 vulnerability. And that has a CVSS score of 8.5. Would
 certainly recommend patching it given some of the history
 with attackers targeting some of these VMware products. But
 at this point, there is no known exploit available. And
 the vulnerability was reported internally. So it's not
 already being exploited. And yes, we also have vulnerable
 security tools again. And this time, it's at least not the
 big enterprise one, but an open source one. So I'll give
 them a little bit of a pass here. NetAlert X suffers from
 an unauthenticated remote code execution vulnerability. This
 particular tool is often used as a Wi-Fi intrusion detection
 system. So trying to figure out users that are scanning or
 trying to penetrate your Wi-Fi network. There are lots of
 details available about this vulnerability. So it's
 certainly exploitable. No exploit seen in the while yet
 as far as I'm aware of. It also comes with an
 unauthenticated file read vulnerability that's being
 leveraged here. Definitely something that you do want to
 patch in particular given that this particular product is
 somewhat exposed in its role as a wireless IDS. And Canon
 released an update for its laser printers and small
 office multifunction printers fixing three different
 vulnerabilities with a CVS score of 9.8. Some of them
 leading to unauthenticated remote code execution. What
 does save the day here a little bit is that this is not
 necessarily something that's easily exploited sort of
 remotely. These printers are typically not exposed to the
 internet. So interesting vulnerabilities, however, like
 for example, in TIFF data EXIF tag processing. I could see
 where maybe it's being exploited by tricking the
 victim into printing a malicious document. Have to
 look a little bit closer at some of these vulnerabilities.
 But I think there are some neat sort of unique exploit
 opportunities here with these vulnerabilities. And well,
 then in closing, we do have an other AI related story, but
 it's really more a story about if you're developing new
 tools, you still have to worry about old vulnerabilities. And
 well, essentially, good old known best practices. With
 research uncovered and exposed DeepSeq database. DeepSeq, of
 course, has caused a lot of news this week. In this
 particular case, there is a ClickHouse database.
 ClickHouse being one of those NoSQL style databases. It's an
 open source database that they left completely exposed. And
 this database apparently was used to also store users' chat
 history. So essentially prior queries to DeepSeq and lots of
 additional details were able to be recovered from this
 database. This is really a flaw that's not at all related
 to AI. It's something that we had for years and years with
 similar database, whether it's MongoDB, whether it's S3
 buckets, it's all the same thing. Don't leave your crap
 exposed to the internet. And with that, thanks again for
 listening and talk to you again on Monday. Bye.