Podcast Detail

SANS Stormcast Friday, April 17th, 2026: DVRs Again; Cisco Again; Windows Defender Again; Sonatype

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9896.mp3

previous
Podcast Logo
DVRs Again; Cisco Again; Windows Defender Again; Sonatype
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS
Network Monitoring and Threat Detection In-DepthAmsterdamApr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesOnline | British Summer TimeJul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and MicroservicesLas VegasSep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Friday, April 17, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Stockheim, Germany.
 This episode is brought to you by the SANS.edu Graduate
 Certificate Program in Purple Team Operations.
 Congratulations. Before starting this podcast, I did a
 quick look to see when we first talked about DVRs,
 digital video recorders, getting compromised at scale.
 And this was about 12 years ago in 2014. One of the sad
 things about doing this kind of work for so long is that
 often the problem isn't of the flashy new stuff, but what I
 often call the mosquitoes of the internet. They're around
 everywhere. They're really annoying, but sometimes
 deadly. And that's these IoT devices and these video
 devices that are still being attacked. We do have a diary
 by one of our interns, Alec Jaffe, just dissecting one of
 these attacks yet again. And yes, there are still thousands
 of these devices exposed and the same number pretty much
 being attached to Alec's Botnet here that he found. Well, take
 a look at his work. It is evolving. There are ever so
 often some little tweaks they're making to their
 software, but ultimately the old thing still applies. If
 you're connecting a system to the internet with a well-known
 password, well, it's going to get compromised within
 probably less than a minute. So let's talk about something
 new and exciting. Well, imagine that we do have still
 Cisco vulnerabilities. First one, WebEx. WebEx apparently
 doesn't care what certificate was used to sign your single
 sign-on assertion. So anybody is let in and you're easily
 able to impersonate arbitrary users. But it's not just WebEx
 where we have problems. It's also the Cisco identity
 services engine that is suffering from, in this case,
 remote code execution vulnerabilities. This has a
 base CSS score of 9.9, but I believe NetHacker at least
 needs read access here. But, well, that is then easily
 elevated to root privileges if this particular vulnerability
 isn't patched. So, yeah, still kind of old-style
 vulnerabilities and still happening today. And when
 Microsoft released its patches last Tuesday, it also patched
 the Bluehammer vulnerability. This was the vulnerability
 vulnerability that was already disclosed before the patch
 came out. It was a vulnerability, a privilege
 escalation vulnerability in Microsoft Windows Defender.
 Well, the author of Bluehammer, who originally
 released the proof of concept because this particular author
 wasn't happy with how Microsoft's Windows Defender
 is a responsible notification program worked. So this
 individual now released a second vulnerability in
 Microsoft Windows Defender, this time called Red Sun. And
 it's sort of one of those file override vulnerabilities.
 Pretty interesting. And as this write-up also says,
 funny. So, yes, we still have bridge escalation
 vulnerabilities in the Windows Defender. And sadly, bridge
 escalation vulnerabilities are kind of common in anti-malware
 all the time. When I started this podcast with what I refer
 to as the mosquitoes of the internet, which, well, is
 these cheap IoT devices like DVRs with default passwords,
 could possibly not apply to the data. And the leader of
 secure development, Sonatype. Sonatype just patched a hard
 -coded credential in internal database component
 vulnerability. This vulnerability applies to its
 OrientDB database, which usually is not enabled by
 default unless you're running it in legacy HAC mode, which
 then has this very obvious setting nexus.clustered equals
 true in its configuration. So in this case, OrientDB will be
 enabled and listening. Definitely something to watch
 out for. So if you are running the Sonatype components here,
 double check that, first of all, they're not reachable
 from the network, just like your cheap DVRs. Don't expose
 your security orchestration software here directly to the
 internet. And yes, please keep it patched. Well, that's it
 for today. So thanks again for listening. Thanks for liking
 and subscribing to this podcast. I'm on my way to
 Amsterdam next week, Tuesday evening. I'll be giving a talk
 at the SANS event in Amsterdam. If you're
 interested in attending, please don't just show up, but
 let me know if you're not already registered for the
 event. I'll also be teaching in May in San Diego, end of
 June in Riyadh, and then in July again, we have SANS Fire
 coming up in Washington DC. Already starting to plan a lot
 of United Storm Center related events as usual for SANS Fire.
 Thanks everybody and talk to you again on Monday. Bye.