Hello and welcome to the Monday, April 8th, 2024 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from London, England.

As a quick reminder today, April 7th as I record this podcast, it's also the 10th anniversary of Heartbleed. Heartbleed, of course, is often seen as sort of

a watershed moment in open source security. And we had sort of another moment like this,

just the last couple weeks with the XC Util Back Door. Let's hope that some of the funding

for Buck Bounties and such is expanding.

That's sort of what got started after Heartbleed.

We also got another side note to this entire event, and this is another merch request

that the attacker who planted the XC Util Backdoor made for Lib Archive.

Now this particular request was made November 2021 and it replaced a safe printf function

with just regular F printf function.

So that way escape sequences may not necessarily be encoded correctly.

This function happened in an error message where then unsafe input may be echoed back to the victim

and the insertion of escape sequences could potentially lead to code execution.

It's not clear if this was ever exploited in any way, but of course it's a very typical way

to implant more subtle back doors by including bugs in code that even after a more casual review, even if they're found, are not

necessarily considered malicious, just careless, and as such don't necessarily blow the identity

of that malicious submitter.

The change in lip archive has been removed, but of course that code was out for a lot longer than the XE Util Backdoor,

so definitely something where updates and such need to be applied.

Researchers at SANSAC have found an interesting persistent mechanism being used by attackers attacking the Magento E-commerce

suite. This particular Magento backdoor takes advantage of the layout update database. This database includes

...