Hello, welcome to the Friday, November 5th, 2021 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

And we do have a winner for the October Packet Challenge, a Brad that post the solution.

Congratulations to Amir Money for post the solution. Congratulations to mere money for winning the competition.

We had plenty of correct answers and just semi-randomely picked one of them as our winner of a Raspberry Pi.

This was actually a quite interesting and more evolved challenge than

Brad usually publishes. Three infected systems here, all part of an active directory, domain,

and different pieces of malware involved in this infection. So, congratulations to everybody who got the right answer, and if you want to check your answer,

or if you got stuck trying to solve it, then look at Brad's walkthrough for the solution.

And then we have an interesting vulnerability in Linux kernels that affects Linux kernels from version 5.10 through 5.15.

The vulnerability exists in the transparent inner process communication module or short TIPC.

This module is used in clusters to exchange messages

and also exchange cryptographic keys to encrypt these messages. Now, first of all, the good news

here is that this is nothing that's enabled by default and probably not enabled much at all, but it is potentially

exploitable across the network. These messages, they can be sent directly over Ethernet,

and then of course remote exploitation is limited to the local network, but they can also be

encapsulated in UDP, in which case

they're typically sent to port 6118.

So since this affects Linux setups that are configured as a cluster, that's the first thing

to check here, make sure if the TIPC module is actually loaded.

It's present in the effect that Linux versions, but not necessarily loaded, and the vulnerability

is really only exploitable if it's loaded.

...