Podcast Detail

SANS Stormcast Monday, May 11th, 2026: New Linux Priv Escalation; PAM Backdoors; CPanel Updates; Let’s Encrypt

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9926.mp3

previous
Podcast Logo
New Linux Priv Escalation; PAM Backdoors; CPanel Updates; Let’s Encrypt
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Monday May 11th, 2026 edition
 of the SANS Internet Stormcenter StormCast. My name is Johannes
 Ullrich, recording today from San Diego, California. And
 today's episode is brought to you by the sans.edu
 undergraduate certificate program in Applied Cyber
 Security. Yes, and once people start looking for a certain
 type of flaw, well, we of course get more and more of
 them in the news. We now have a second Linux pro-watch
 escalation vulnerability that again affects pretty much any
 Linux distribution out there going back to 2017. So about
 nine years back, which pretty much covers everything at this
 point. The problem with this vulnerability is again a
 kernel driver, just like what we had with copy-fail.
 Actually, there are some similarities with this copy
 -fail vulnerability. This one has its own name, its own
 logo, dirty frag. And this vulnerability relies on two
 different vulnerable kernel modules. So both must be
 present in order for the vulnerability to be exploited.
 One is the RPCRX module. This module is used for some file
 systems like AFS, for example. The AFS implementation for
 Linux does use the RPCRX module. The second module is
 actually really two, but either one works. ESP4 and 6,
 well, they're part of the ESP protocol, so IPSec. In my
 opinion, it's probably safer to disable the ESP modules.
 You can just unload them and with that prevent
 exploitation, just because it's easier to figure out if
 you're using IPSec or not. While the RPCRX module could
 be a little bit more difficult to figure out which sort of
 other functionality on a particular system actually
 takes advantage of this module. So if you're not doing
 IPSec, you know, even if you're doing VPNs, if you're
 doing a VPN other than IPSec, you don't need the ESP
 modules. So in this case, just disable them or unload them.
 Probably just keep them unloaded. Who knows? There may
 be other vulnerabilities that have yet to be discovered. You
 know, always reduce your attack surface if you don't
 use IPSec. And researchers at Flare wrote up a blog post
 rediscovering that PAM, the Plugable Authorization Modules
 in Linux, can be used to introduce backdoors. Nothing
 fundamentally new, but still a good reminder that this
 happens. So with all these vulnerabilities in Linux we're
 talking about, of course, the next question is what is the
 attacker going to do next? And this may certainly be a point
 to attack once you have root access to a system where you
 are modifying some of the PAM drivers or even just the
 configurations to either introduce backdoors or in this
 case actually capture SSH passwords. This of course is
 not a problem if you are using SSH secret keys because, well,
 the secret keys are never sent to the system. So as a result
 any modification to PAM would not actually capture the
 secret keys. Well, it could still again, you know,
 introduce a backdoor and that can be really difficult to
 detect unless you recognize that these PAM modules have
 been tampered with. So take a look at the blog post and see
 what they have to say about the detection part in
 particular. And after you recently had a big issue with
 cPanel vulnerabilities, well, just a reminder that cPanel
 late last week released another update fixing three
 vulnerabilities. None of them is as critical as what we have
 seen a few weeks ago that was widely exploited. Here the
 worst one is an arbitrary code execution vulnerability, but
 it already does require some significant privileges in
 order to be able to actually execute and exploit this
 vulnerability. So I don't see this as something that you
 have to patch right now. But the probably another
 opportunity to make sure that you are patching cPanel if
 you're using this software and if possible have that somehow
 automated. And on Friday, Let's Encrypt did briefly stop
 issuing new certificates. And now in their status update,
 they called that this was due to a potential incident, which
 of course is often sort of code for breach. But that
 apparently is not what's happening here. Let's Encrypt
 is currently in the process of moving from generation X to
 generation Y. This is sort of how they identify the
 different versions of their environment. Well, this new
 version of course used then different signing certificates
 and apparently some of the cross signing wasn't done
 correctly, which led them to suspend the issuing of
 certificates until they basically could roll back or
 fix this particular problem. Now, this did currently not
 affect the environment that issues most certificates. It
 was more for the short lift and more experimental sort of
 environments and staging environments at this point.
 However, on May 13th, so I think that's Wednesday, they
 will switch over the life environment. So in case you
 see any hiccups there with Let's Encrypt, well, that may
 be part of the problem, but everything appears to be
 working fine right now, even for the sort of more short
 lift like a TLS server, TLS client environments. All of
 that seems to be working fine right now. Well, and this is
 it for today. So thanks for listening. Thanks for liking.
 I am, as I introduced in San Diego this week, I'll be
 giving a talk in the evening here if anybody's interested.
 I think it's Wednesday, but I'll have to double check when
 the talk will be. If you're interested, well, let me know.
 Don't just show up, but if you're in the area, we can
 probably arrange for you if you want to attend a talk. The
 talk is about Internet Storm Center. Well, and that's it
 for today. Thanks and talk to you again tomorrow. Bye. Bye.
 Bye.