Hello and welcome to the Tuesday, December 6, 2020 edition of the Santernut Storms, Stormcast.

My name is Johannes Ulrich and today I'm recording from San Francisco, California.

I mentioned, I think it was late last week, maybe Friday, about the latest version of VideoLens, VLC, fixing some critical

vulnerability.

DDA looked into this closer and was surprised that he didn't sort of see the update available

pop up from within the application.

He checked it manually and well, it turned out that the feed that they're using,

we see a simple web service, did still advertise the older version.

Earlier today, VideoLan did actually fix this problem, so you should see that update

now being advertised straight from within the

application.

And then bad news for everybody running a server with a baseboard management controller from

AMI, which, well, sadly, is probably pretty much sort of everybody.

Eclipseum has a blog post with details regarding three different vulnerabilities that they

identified. The most critical one has a CVSS score of 9.9 and it is a fairly straightforward

sort of command injection vulnerability in the Redfish API.

Redfish is sort of the more modern IPMI replacement, more built around web standards,

and with that, of course, inherits some of the standard web application vulnerability

that I'm actually teaching about here in San Francisco this week.

Only constraint here is that the badge code that you are injecting as part of the URL has to be,

well, first of all, valid bash code, but also a valid URL component because nothing here can be

sort of URL encoded. Well, they have a little

...