Hello and welcome to the Wednesday, April 17th, 2024 edition of the Sandcent Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Washington, D.C. Well, it took

less than a weekend. It's out. We got all the details necessary in order to exploit the Palo Alto Network's Global Protect

Wornability.

Turns out the vulnerability is a directory traversal vulnerability in the session ID.

So the way the exploit works is that the attacker would send a cookie.

That cookie takes advantage of this directory traversal vulnerability to write a file, and

that's sort of where a second part here comes in.

That file is then being executed by the telemetry component.

Watchtower, Rapid 7 and others have written some good detailed

write-ups about how this vulnerability exactly works and how it's being exploited, but we are

now seeing sort of these random internet-wide exploits. I posted one in a diary today. This particular version of the exploit

that was observed and was sent to us, does copy the configuration file to a readable directory.

So an attacker could basically use the exploit, copy the configuration file, and then just read it by pointing a web browser to the file that was created.

Well, there are a couple of constraints the developer of the exploit had to overcome in order to make this a working reliable exploit.

In hindsight, of course, these are always pretty easy,

and at this point, it should be pretty straightforward to deploy your favorite crypto miner,

ransomware, or web shell in order to further exploit the system. And over the last couple of days,

a vulnerability in the very popular SSH Klein Patti was discovered

that puts the private key at risk in case you're using the NIST P521 curve.

This particular elastic curve algorithm, like all similar algorithms, does rely on a nuns,

a random value that's unique to a particular connection as the keys are exchanged.

...