SANS Stormcast Thursday, March 19th, 2026: Adminer Scans; Apple WebKit Patch; another telnetd vuln; screenconnect vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9856.mp3

previous

Adminer Scans; Apple WebKit Patch; another telnetd vuln; screenconnect vuln

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, March 19, 2026
 edition of the SANS Internet of Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Penetration Testing and Ethical Hacking. In diaries
 today I wrote up scans that we are seeing against our
 honeypots against Adminer. Adminer is a PHP script that
 allows you to administer your database. It works for MySQL
 and Postgres, I believe. And it's similar in its approach
 kind of to PHP MyAdmin. If you're familiar with PHP
 MyAdmin, it's one of the big targets out there. It had a
 very rich history of vulnerabilities. And it's sort
 of not the first and original web-based database admin tool.
 Adminer takes a different approach and so far that it's
 just one PHP file. It's very feature-rich and has actually
 a pretty good security history. There have been a
 couple of vulnerabilities but far less and far lower in
 severity than what we have with PHP MyAdmin. So why are
 attackers scanning for it? Well, the weakness that we
 still have is passwords. Now Adminer does not really have
 the user usually set up passwords for the tool itself.
 Instead it just uses the databases access control
 system. And that actually makes quite a bit of sense. It
 even offers an optional module that allows you to have some
 two-factor authentication. And that's something you should
 definitely consider even though it deviates somewhat
 from the original goal of just having everything in one file.
 One reason that these scans sort of really attract my
 attention is not just the number of scans but really the
 number of different URLs that are being scanned here. When
 you're downloading and installing Adminer, what you
 should download is like this one big PHP file. And it comes
 in different versions, different languages and such
 and also different databases. And that's all part of the
 file name. So if you just download the file and install
 it, well there's about a dozen different file names that are
 possible for each release. And it's an actively maintained
 tool. So you have releases coming out ever so often. And
 this attacker apparently enumerated all of these file
 names. And it's now attempting to find them on your system.
 As I said, you probably want to install the two-factor
 authentication plugin. But also maybe just throw some
 basic digest authentication in front of the tool in order to
 have an additional layer to make it less than easy to find
 this particular tool that you even have it installed. And
 then we got something new from Apple and that's background
 security improvements. This feature was added to the
 latest version of their operating systems and allows
 them to basically push out smaller security updates. They
 just yesterday used this feature the first time and
 they pushed out an update for WebKit. It fixes a single
 vulnerability, not a super critical vulnerability. It's a
 same origin issue. It's not yet exploited. I suspect that
 maybe they wanted to try it out with sort of not a very
 severe vulnerability. If you want to apply the update
 manually, you have to go to security and privacy. That's
 where you find the background security improvements. You can
 also disable them if you don't want them to be applied
 automatically. But it's a different spot in the
 operating system than the normal security updates that
 you sort of get via software updates. And you can also undo
 these updates if you want to. They're then typically rolled
 into the next operating system update. So they will still
 basically include all of these background security
 improvements that were moved live before. Interesting
 concept. Makes things faster. The download was very small
 and quick. It will still reboot your device after it
 is. It's done applying the update. Imagine that we got
 another vulnerability in the inetutils telnet d. Remember
 we just had a vulnerability a couple weeks ago with the
 embarrassing dash f option in telnet d that basically
 bypassed login. This is a new distinct vulnerability. It's a
 buffer overflow in the line mode slc set local characters.
 So during the sort of initial handshake, the telnet client
 and the server can negotiate a couple parameters. And this is
 one of these parameters. So this is pre authentication.
 And it's a straightforward buffer overflow. Definitely
 get it patched. But of course, you really shouldn't run
 telnet. And if you're using ConnectWise Screen Connect, be
 aware there is a patch available for you for version
 26.1. This patch does encrypt certain machine keys that were
 accessible without authentication before the
 patch was applied. So they assessed this with a CFSS
 score of 9.0. So it's definitely critical. Something
 that you want to address and patch quickly. And that's it
 for today. So thanks for listening. Thanks for liking.
 Thanks for subscribing. And thanks for sharing this
 podcast in your favorite social network. And talk to
 you again tomorrow. Bye.