Hello and welcome to the Thursday, October 12, 2023 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Well, today as usually is a little bit a patch Tuesday cleanup episode.

Let's start out with new exploits. Microsoft stated in

relation has confirmed active exploitation of CVE 2023-22515. This vulnerability, which

was patched about a week ago, is apparently already actively being exploited. It does allow

an attacker to add an arbitrary administrative account to Atlacians, Confluence, Data Center, and

server. I've seen an exploit post on Twitter. No idea if it's actually correct but looks plausible.

Given that it fit in a tweet and can be run with a simple curl comment, it's a pretty

trivial exploit.

So I hope it's a little bit more complicated than that.

But definitely the exploit is out and available and being used.

And yes, we did get an update to curl today fixing a security vulnerability.

However, the security vulnerability didn't turn out to be all that big of a deal.

Now, it is a heap-based buffer overflow, which of course means that there is a potential

for code execution.

But in order to actually trigger the vulnerability, an attacker has to be able to feed an oversized

URL to curl that is then using a SOX5 proxy.

Given that most curl instances do not connect to a SOX5 proxy and that you definitely should

probably verify that you have a valid host name before you just pass a URL to curl.

The exploitation is likely limited to a very limited number of sort of edge cases.

So nothing to worry about too much.

...