Podcast Detail

SANS Stormcast Feb 12th 2025: MSFT Patch Tuesday; Adobe Patches; FortiNet Acknowledges Exploitation of FortiOS

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9320.mp3

previous
next
Podcast Logo
MSFT Patch Tuesday; Adobe Patches; FortiNet Acknowledges Exploitation of FortiOS
00:00

Microsoft Patch Tuesday
Microsoft released patches for 55 vulnerabilities. Three of them are actagorized as critical, two are already exploited and another two have been publicly disclosed. The LDAP server vulnerability could become a huge deal, but it is not clear if an exploit will appear.
https://isc.sans.edu/diary/Microsoft%20February%202025%20Patch%20Tuesday/31674

Adobe Patches
Adobe released patches for seven products. Watch out in particular for the Adobe Commerce issues
https://helpx.adobe.com/security/security-bulletin.html

Fortinet Acknowledges Exploitation of Vulnerability
https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Podcast Transcript

 Hello and welcome to the Wednesday, February 12, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Well, and of course, today we have
 to start with Microsoft's Patch Tuesday. We got patches
 for 55 different vulnerabilities. Three of
 these are critical, two already exploited and two of
 the vulnerabilities have been disclosed before today. So two
 technical surveys and then these other two could have
 been surveys, but at least we don't know of any exploitation
 yet. Let me start with the vulnerability that worries me
 the most, but that I think is also the difficult one to
 really assess well. And this is an arbitrary code execution
 vulnerability in LDAP. This vulnerability has a ton of
 potential. A potential exploit would be able to essentially
 get to the core of what Microsoft Windows
 authentication is all about, the LDAP Active Directory. And
 with that, pretty much any Windows network is potentially
 vulnerable. However, at this point, we haven't really seen
 an exploit against this vulnerability or similar
 vulnerabilities that we had in prior months. Because if you
 remember, we had a very similar vulnerability
 description last month. And I think two or three months ago,
 there was another LDAP vulnerability like that. What
 you really should consider at this point is, given that we
 have sort of this succession of different vulnerabilities,
 there's always a chance that there are more coming. So keep
 that in mind when you're mitigating this. Keep notes if
 you're running into any issues with mitigation here. And
 then, of course, know what do you do to provide additional
 hardening for Active Directory and LDAP in your network.
 Potentially, this vulnerability does not require
 any user interaction to exploit. With that, it's also
 warmable. However, of course, LDAP typically, at least I
 hope in your network, is not exposed to the outside, which,
 of course, limits the impact also somewhat of this
 vulnerability. So a lot of depends on how you're exactly
 configuring your network. As far as the already exploited
 vulnerabilities, those are actually not the ones that I'm
 super concerned here, even though they are already being
 exploited. They're both privileged escalation
 vulnerabilities. A ton of those around. So don't really
 see them as having that much impact that we have two more
 privileged escalation vulnerabilities. The already
 disclosed vulnerabilities, there is yet another NTLM hash
 disclosure, spoofing vulnerability. Again,
 something that we pretty much have on a monthly basis. The
 real trick here is to get rid of NTLM hashes in your
 environment and, of course, not allow any outbound SMB or
 similar connections from your network. And then there is
 also Microsoft Dynamics 365 Elevation Approach
 Vulnerability. Not the most popular software package, even
 though companies that do run it probably have a ton of
 critical data in their Microsoft Dynamics install.
 Other than that, I think we're dealing here sort of with a
 sort of, you know, overall average, maybe a little bit
 less than average, Patch Tuesday. There's also a DHCP
 client service remote code execution vulnerability. These
 are always tricky if you have users in untrusted networks
 and such because you can't really fireball off DHCP in
 those networks. Excel and other office vulnerabilities,
 again, nothing really all that fundamentally new, even though
 there is a critical one here also being addressed. Overall,
 address the patches. Watch out for the Active Directory and
 LDAP part, how you're going to deal with that. Again, that's
 the one that I would really focus my attention on. But a
 lot depends on how this particular service is used and
 configured in your network. And then we got all the
 updates from Adobe for patched use. They updated seven
 different products. The one that I'm always paying
 attention to that's also received patches again today
 is Adobe Commerce. There are a number of different remote
 code execution vulnerabilities actually being addressed here
 that are triggered by a cross -site scripting vulnerability.
 Stored cross-site scripting specifically, definitely
 something that you must patch. Adobe also assigns these
 vulnerabilities the highest priority because of the
 history here that Adobe Commerce, Magento, as it used
 to be called, is often being specifically targeted. And
 then we also got confirmation from Fortinet that
 vulnerability in Fortinet that was patched a month ago. This
 was the WebSocket issue. It's now officially being
 exploited. Actually has been exploited for a while, but now
 we got confirmation from Fortinet. Fortinet also seen
 some exploits for it on the Internet that appear to be
 valid. So definitely, if you haven't patched yet, consider
 any unpatched devices compromised at this point.
 Well, and this is it for today. So thanks for listening
 and talk to you again tomorrow. Bye.