Hello and welcome to the Friday, December 23rd, 22 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, just a quick follow-up on a story I mentioned yesterday.

A Rapid 7 and Crowdstrike did observe a workaround for some of

the Outlook Web Access server site request forgery, a vulnerability or the proxy not shell

vulnerability workarounds that Microsoft recommended. Well, Guy thinks that he saw some of these requests also in his honeypots.

Definitely something that you should be aware of.

And again, it does not affect you if you're fully patched on your exchange servers.

This is something that you should be worried about if you're relying on any of the published

workarounds to protect yourself and not using the patch.

And we got today an early Christmas gift from the Serday Initiative. An advisory published today

by the Serday initiative makes public kernel KSMBD use after free remote code execution vulnerability in Linux.

It scores a perfect CVSS score of 10.

Now, this is certainly something important.

Why is it not sort of a huge deal?

Well, the vulnerability was originally reported to Linux in July, according to

a link in the advisory. Update was actually made public in August that should fix this particular

vulnerability, but it wasn't really sort of acknowledged as a vulnerability back then.

Also, KSMBD, it's an implementation of the SMB version 3 protocol.

It's sort of a replacement for Samba, but it's relatively new.

Again, it's a kernel module, so basically moved the user space Samba code sort of into

the kernel, of course, with a complete rewrite. Most systems still use Samba instead of KSMBD. KSMBD.

...