Hello and welcome to the Thursday, April 25, 2020, 24 edition of the Sanchez and its Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Three years ago, Rob published some scripts to make it easier to read the NVD database, in particular on Windows systems.

Well, Rob updated these scripts now in order to adapt them to the newer version of the API

that is being offered by NIST.

If you're interested, the more details, you can find them in Rob's diary from the day.

And Cisco released a blog post together with patches for three different vulnerabilities

in response to some attacks that they have observed taking advantage of these vulnerabilities.

Effected are Cisco is A and firepower devices, and the vulnerabilities being addressed

here are really more the privilege escalation part.

The initial attack vector, how the attacker originally got access as an authenticated user,

is not included here and they say they don't really know. So one assumption is that likely

that initial attack vector was just some weak username and password combination that was

brute forced or found somewhere else.

Cisco believes that the attacker started working on this back in July and in January

started actually launching the first attacks using this particular pattern and set of vulnerabilities.

Out of the three vulnerabilities, there are two particular interesting.

One is a local code execution vulnerability, the other one a command injection vulnerability.

Between the two, I think there is at least one sort of directory traversal vulnerability.

For example, one of these vulnerabilities allows an attacker who is able to

restore a backup to override files that they're not supposed to override. That's very common

when you're extracting SIP files and the like and not properly validating the paths. The files

are being written into,

...