Podcast Detail

SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9442.mp3

previous
Podcast Logo
Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch
00:00

Example of Modular Malware
Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail.
https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928

Sysaid XXE Vulnerabilities
IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code.
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/

Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
Cisco Patched a vulnerability in its wireless controller software that may be used to not only upload files but also execute code as root without authentication.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC

Unifi Protect Camera Vulnerability
Ubiquity patched a vulnerability in its Protect camera firmware fixing a buffer overflow flaw.
https://community.ui.com/releases/Security-Advisory-Bulletin-047-047/cef86c37-7421-44fd-b251-84e76475a5bc

Podcast Transcript

 Hello and welcome to the Thursday, May 8, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from San Diego,
 California. Today's diary comes from Xavier and Xavier
 takes a look at an interesting piece of matter. This matter
 is written in .NET, not Python for a change, and it distincts
 itself by being very modular. Now, the way the modularity is
 implemented is if a particular feature is needed, the
 particular module, a DLL file, is loaded from GitHub and then
 installed on the system. Some of these modules, for example,
 can install a rootkit, there is a token grabber module,
 there also is a password stealer, and then the one
 module that Xavier looks at a little bit closer is
 implementing some webcam functionality. The advantage
 of malware like this is that the initial download, first of
 all, is smaller and is also less likely going to trigger
 alerts because it doesn't contain any code that
 indicates that it may act malicious. That's only then
 added again later on demand. And since this malware is
 reasonably simple built, it's not obfuscated, it makes it a
 great sort of little learning tool in order to better
 understand how malware works. Then we have an interesting
 vulnerability to talk about again from sort of friends of
 the show, watchTowr. This vulnerability affects SysAid.
 SysAid is an IT service management platform, so it
 allows you to let help desk tickets, inventory, and
 various other sort of IT management tasks. Of course,
 software like this is always in the crosshairs of
 ransomware gangs given that they are also often used by
 outsourced IT management companies that would give an
 actor access to multiple entities using one compromised
 SysAid instance. Now, the vulnerabilities here start out
 with XML external entity vulnerabilities. This is a
 little bit a weird vulnerability if you're not
 familiar with XML. Essentially, in XML you can
 define entities that are replacing usually smaller
 string with a larger string. So it's kind of a simple
 compression scheme. But external and system entities
 are allowing you to not just replace strings but also to
 replace an entity with the content of a file from the
 file system or the content of an external HTTP or HTTPS URL.
 So that's where it really gets interesting. watchTowr found
 three different vulnerabilities like this in
 SysAid. They used this vulnerability then to read a
 configuration file from the system. Again, you may just
 read essentially any file from the file system that your XML
 parser has access to. This particular file contained the
 administrative password. Well, of course, with that they have
 now not just pre -authorification but also
 authenticated access to the SysAid instance and they then
 also demonstrate how these vulnerabilities can be used to
 ultimately achieve remote code execution. As usual, a pretty
 good read here from watchTowr if you're particularly
 interested in more details about the XML external entity
 vulnerability. Patches have been released by SysAid and
 given that there is an export available for it now, well,
 you better already applied it. And then we have a patch for
 the Cisco IOS XE wireless controller software. This
 patch fixes an arbitrary file upload vulnerability with a
 CVSS score of 10.0. The vulnerability is due to a hard
 -coded JSON web token. Well, at least it's not an sh key or
 a simple password but the effect is the same without
 really authenticating. The attacker is able to upload
 files and then trigger execution as root. This
 vulnerability should be fixed pretty quickly. However, the
 system is not vulnerable in the default configuration. In
 order for this vulnerability to be exploitable, you need to
 enable the out-of-band AP image download feature. If
 that feature is not enabled, then again, this is not
 exploitable. And if you're using the popular Unify
 Protect cameras, be aware there is also a CVSS score 10
 vulnerability available for these cameras. Now, a patch is
 available as well from Ubiquity. The vulnerability
 itself, as it says here, allows an attacker with access
 to the management network to execute arbitrary code
 remotely without authentication, exploiting a
 heap buffer overflow vulnerability. This affects
 the firmware version 4.75.43 and earlier. A patch has been
 released in the last couple of days. This is it for today.
 Thanks for listening and talk to you again tomorrow. Bye.