Podcast Detail

SANS Stormcast Tuesday, October 7th, 2025: More About Oracle; Redis Vulnerability; GoAnywhere Exploited

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9644.mp3

previous
Podcast Logo
More About Oracle; Redis Vulnerability; GoAnywhere Exploited
00:00

Podcast Transcript

 Hello and welcome to the Tuesday, October 7th, 2025
 edition of the SANS Internet Stormcenter's Stormcast.
 My name is Johannes Ullrich, recording today from Denver,
 Colorado. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cybersecurity Leadership.
 Today, the big topic was still the patch being released by
 Oracle on Saturday for the Oracle eBusiness Suite. I
 talked about it already yesterday. Now, there is no
 new update from Oracle about this, so their advice still
 counts. Apply the patch released on Saturday in order
 to be protected against this vulnerability. Now, after
 recording the podcast yesterday, I found a copy of
 the exploit script that was referenced in Oracle's write
 -up. So, this was basically the exploit script recovered
 from these ransomware attacks. The exploit is quite complex.
 There's also a great and much more detailed write-up by
 watchTwer explaining what exactly is going on here.
 There are actually sort of a couple little exploits that
 are being used in order to really make everything work.
 There's like a directory traversal in one spot, for
 example, in order to make this exploit work without having to
 authenticate first. But the critical part of the exploit
 is a server-side request forgery issue using a somewhat
 interesting and, well, I think a little bit archaic in some
 ways, technology XSLT. This is essentially sort of style
 sheets for XML files. And this has been used for server-side
 request forgery before. The trick here is essentially that
 as part of an XML file, you can reference an external file
 that will tell you how to render a particular XML file.
 And that is sort of requesting that external file is
 triggering the server-side request forgery vulnerability
 in this particular case. And then actually a vulnerability
 and how these particular files are then being applied does
 lead to the remote code execution. So a very tricky
 exploit. And I don't think there are a lot of people out
 there that really understand Oracle eBusinessSuite well
 enough in order to come up with all the complexities
 being exploited by this particular exploit. It's not
 just a simple vulnerability. Of course, with the exploit
 now being out and widely being distributed, there is a good
 chance that we have copycats coming up soon. These scripts
 that were used and posted to VirusTotal and other sites are
 making exploitation of this vulnerability relatively
 straightforward. And also, of course, the detailed write-ups
 like from watchTwer go over some of the intricacies in
 making this particular exploit chain work. There's another
 sort of side to this with an exploit like this being
 released now and being able to actually exploit a
 vulnerability that before really seeing the entire
 exploit chain weren't sort of properly accessible. Well,
 there is a chance that we'll also see additional similar
 vulnerabilities in the future being exploited just like this
 one, sort of taking advantage of some of the work done in
 order to make this exploit work. So definitely keep an
 eye on your Oracle eBusinessSuite servers and see
 what you can do in order to better isolate them to make
 some of these exploit facets here that were being used
 impossible and blocking, for example, downloads of external
 files. But Oracle isn't the only one releasing patches. We
 also got in the last couple days a patch for the Redis in
 memory database. This patch fixes a use after free
 vulnerability that could be used for arbitrary code
 execution. Redis rated this vulnerability with a CVSS
 score of 10.0, so perfect 10. However, the vulnerability, in
 order to exploit it, you must have authenticated access. So
 I would actually think that it should be a couple decimals
 kind of below 10. Still a critical vulnerability that
 you must patch quickly and double check what Redis
 servers you have exploited, exposed to the internet. No
 exploit available for this as far as I know, but again, it's
 probably just a matter of a very short time for someone to
 develop and exploit for this vulnerability. Microsoft
 published a blog post that a critical go anywhere MFT bug
 that we talked about two weeks ago is now actively being
 exploited. So double check that you got the patch
 applied. If not, assume compromise at this point.
 Well, and that's it for today. So thanks again for listening
 and thanks for liking and subscribing to this podcast.
 And as always, talk to you again tomorrow. Bye.