Hello, welcome to the Thursday, October 29th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, I don't do this usually unless I get the date wrong, but we had some late-breaking news just as I made this podcast live so I'm

stitching this in and re-releasing the audio file we're seeing some active

exploitations against a web logic vulnerability that was patched a week ago

CVE 2020 14882. It had a CVSS score of 9.8. And as you can tell by

some of the exploits that we are seeing against our honeypots, this is possibly a trivial remote code

execution.

At this point, we are just seeing attackers probing our honeypot to figure out if it's vulnerable.

So more about this, probably any day during the day tomorrow or today, depending on when

you're listening to this.

Back in March, Microsoft published a patch for the SMB Ghost Vulnerability, CVE 2020-0796. And this vulnerability has rightfully so gotten quite a bit of attention because its CVSS score was 10, basically allowing

a full remote compromise without any logging in or any user interaction.

So it's as bad as it goes.

Jan today reminds us that there is still a lot of vulnerable systems that are still connected to the

internet. About 8% of all IP addresses that have port 445 exposed to the internet are vulnerable

to the SMB ghost vulnerability. And well of course we can just guess what it looks like internal to network,

so in not publicly exposed IP addresses, but I would expect this to be even worse.

The real problem here is that we have about 8% of hosts that are unmaintained,

unpatched, and probably vulnerable to a lot more than

S&B Ghost, but it's actually a little bit, one of the more difficult to exploit vulnerabilities.

And while the individual owners of these machines may not really care about these machines,

...