Podcast Detail

SANS Stormcast Wednesday, April 10th: Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9400.mp3

previous
next
Podcast Logo
Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet
00:00

Microsoft Patch Tuesday
Microsoft patched over 120 vulnerabilities this month. 11 of these were rated critical, and one vulnerability is already being exploited.
https://isc.sans.edu/diary/Microsoft%20April%202025%20Patch%20Tuesday/31838

Adobe Updates
Adobe released patches for 12 different products. In particular important are patches for Coldfusion addressing several remote code execution vulnerabilities. Adobe Commercse got patches as well, but none of the vulnerabilities are rated critical.
https://helpx.adobe.com/security/security-bulletin.html

OpenSSL 3.5 Released
OpenSSL 3.5 was released with support to post quantum ciphers. This is a long term support release.
https://groups.google.com/a/openssl.org/g/openssl-project/c/9ZYdIaExmIA

Fortiswitch Update
Fortinet released an update for Fortiswitch addressing a vulnerability that may be used to reset a password without verification.
https://fortiguard.fortinet.com/psirt/FG-IR-24-435

Podcast Transcript

 Hello and welcome to the Wednesday, April 9th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Well, of course, it's Patch Tuesday
 today, so we have to start with Microsoft patches. We do
 have sort of an average patch Tuesday. Renato, who did our
 diary today, counted 125 vulnerabilities. I've seen
 others quote 134 vulnerabilities. It typically
 depends on whether or not you count the Chromium
 vulnerabilities that apply to Microsoft Edge or not. But
 either way, let's look at some of the interesting
 vulnerabilities that are sort of worth noting. And to start
 out, we got sort of a column a friend of the show, the
 Logfile System Driver. This is a Windows component that has
 led to at least five Saturday vulnerabilities over the last
 couple years. And yes, we do have another approach
 escalation vulnerability here that is already being
 exploited and apparently being exploited by ransomware actors
 as well. So not just one of those state actor style
 vulnerabilities. Now, why is this component continuing to
 be the source of so many vulnerabilities? Pretty
 straightforward reasoning behind this. It is a kernel
 driver, so it runs with kernel privileges. It must run with
 kernel privileges, well, in some ways, because it has to
 read all the different logs that it is parsing. And then,
 of course, it has to parse those logs. And logs sometimes
 do contain, well, hostile content. And that's sort of
 the reason yet again where a problem in the log parser is
 being exploited to then elevate privileges,
 essentially execute code as the driver, which then gets
 you full system access. So that story just keeps
 repeating. There's not too much you can sort of do sort
 of proactively about this other than your standard best
 practices hardening your system. But you can't really
 just turn off logging. Then you would have other problems.
 And then another critical vulnerabilities. We do have
 two vulnerabilities against the LDAP server. Again,
 something that we had a couple times happening over the last
 few months. So not yet exploited and exploitability
 is difficult, according to Microsoft, including involving
 some timing issues where, again, depends somewhat on the
 creativity of the attacker, what they're going to do with
 these vulnerabilities. But quite often, if they don't
 really sort of control all of the events contributing to the
 timing issue, then this may not necessarily be an
 exploitable vulnerability. I don't remember seeing any of
 the prior LDAP issues being exploited recently, but I may
 have missed a vulnerability there. So let me know if there
 was a recent new LDAP vulnerability that was
 exploited in the wild. In addition, we do have critical
 vulnerabilities in Office products, like in particular
 in Excel. So that typically involves opening a file and
 then code is being executed. Now, given that they're rated
 critical, it shouldn't require any user interaction. So this
 may execute before you actually open the files or
 some kind of preview scenario or something like that. Get it
 patched. That's really the best thing you can do here. As
 far as sort of priorities go, I would start with your RDP,
 your LDAP servers, just because they tend to be the
 most exposed systems in your network. So definitely
 something that you need to address quickly. Then
 definitely the Office products, because that's just
 probably the largest sort of attack surface that you have
 in your organization. And just to sort of close out this
 Windows patch topic here, Windows 10 is affected by many
 of the vulnerabilities being addressed today. But there are
 no Windows 10 patches available yet. Remember,
 Windows 10 is being phased out. There will be patches for
 Windows 10, particularly like the LDAP, RDP stuff and things
 like that. But Windows 10 is definitely something that you
 need to look into to hopefully move away from. And Adobe
 today released updates as well as usual. And they released
 updates for 12 different products. Two of these
 products are set up on my watch list of noteworthy
 products. Adobe ColdFusion. There are a number of remote
 code execution vulnerabilities here in ColdFusion that are
 rated critical. Also, Adobe Commerce received a patch,
 also a frequently exploited product. Nothing critical here
 in Adobe Commerce. Some privilege escalation
 vulnerabilities that probably should look into. Update a
 patch. That's really what you should do with both of these
 products relatively quickly. Of course, can be tricky in
 particular with ColdFusion. And then we got a new release
 from OpenSL today. OpenSL 3.5.0. It is a new major release
 at 3.5. It's also a long-term support release. No end of
 support defined yet for this product, but it will likely be
 many years in the future. The big addition here to 3.5 is
 post-quantum ciphers. So, definitely a hot topic and
 your first opportunity to really play with sort of a
 production-level implementation of these
 ciphers in OpenSSL. It typically takes quite a while
 for these sort of major releases to then trickle into
 Linux distributions and such. Maybe it happens a little bit
 faster here now given the post-quantum cipher issues. But,
 yeah. You can always compile them yourself. And, like I
 said, start playing with it. See if any of the software
 that you need post-quantum ciphers for will be able to
 work with this release. And, Fortinet released a critical
 update for FortiSwitch going back to version 6.4. This
 particular vulnerability that's being addressed here
 may allow an unauthenticated password change. So,
 definitely make sure that you update this. It has been
 reported internally. So, no exploit known yet. But,
 typically, vulnerabilities like this with some patch
 diffing are relatively easy to figure out. Well, and this is
 it for today. So, thanks again for listening. And if you have
 any updates, corrections here, please let me know. Or if I
 missed any stories, please let me know. Thanks for
 subscribing. And thanks for recommending this podcast to
 others. And talk to you again tomorrow. Bye.