Hello, welcome to the Monday, July 19th, 2021 edition of the Sands and Storm Center's Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

A couple different diaries this weekend from Xavier talking about various ways to base encode different strings in order to obfuscate them and evade

malware detection. Most commonly, of course, we're dealing with base 64 encoding, but the idea

basically is that we may have various character sets that are being used for encoding, not just the standard

base 64 character set in particular. Xavier is introducing here base 85 as a possible alternative

to evade detection tools. And on Friday, Juniper released a number of patches.

Probably the most interesting and severe vulnerability that's being addressed here is a

vulnerability in steel-belted radius, which of course is used for authentication in

Juniper's ecosystem.

This vulnerability has a CVSS score of 9.8,

and apparently it is a buffer overflow vulnerability

that can lead to arbitrary code execution on the radius server.

Luckily, this vulnerability is only exploitable if enhanced

e-blogging with a trace level of 2 is enabled. Patches are available for affected systems,

but as an immediate fix, you could also just check the logging settings.

And a remote code execution vulnerability was also disclosed for fail to ban. Fail to ban, very popular package that allows you to automatically add firewall rules

for IP addresses that continually fail authentication, for example, and one particular module of the

fail-to-ban package allows the lookup of WHOIS information and sending emails to an administrator

including that information. Sadly, the input received from the WHOIS data is not properly escaped,

so theoretically someone would be able to construct a malicious WHOIS record, and then as the system

locks it up after being attacked from an affected IP address, it would

execute the code embedded in the who is data.

...