SANS Stormcast Friday, July 18th, 2025: Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 18 July 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
Hiding Payloads in Linux Extended File Attributes
Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data.
https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116
Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282
An unauthenticated user may execute arbitrary code as root across the network due to improperly validated data in Cisco s Identity Services Engine.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
Oracle Critical Patch Update
Oracle patched 309 flaws across 111 products. 9 of these vulnerabilities have a critical CVSS score of 9.0 or higher.
https://www.oracle.com/security-alerts/cpujul2025.html
Broadcom releases VMware Updates
Broadcom fixed a number of vulnerabilities for ESXi, Workstation, Fusion, and Tools.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, July 18, 2025 edition of the Sands Internet Stormsiders Stormcast. |
| 0:07.8 | My name is Johannes Ulrich, recording today from Washington, D.C. |
| 0:12.1 | And this episode is brought you by the Sands.edu graduate certificate program in Purple Team Operations. |
| 0:20.6 | Well, after spending maybe a little bit too much time with alternate data streams, |
| 0:24.3 | Xavier decided to look at the Linux side of this particular problem and figure out how |
| 0:31.0 | something similar can be done in Linux. |
| 0:33.1 | Of course, Linux does not have alternate data streams, but it has something a little bit similar, |
| 0:39.8 | extended attributes. |
| 0:41.3 | Extended attributes can be used for things like Mark of the Web, just like in Windows |
| 0:47.3 | with alternate data streams. |
| 0:49.3 | It can also be used to, for example, in code PO6 Akels, which is one of the probably more common uses of X adder or extended attributes. |
| 1:03.7 | Xavier implemented a little script that can be used to take some data, then Base 64 encoded, |
| 1:11.5 | and split it up across different files and appended as extended attributes. |
| 1:17.9 | He also wrote a script to then retrieve the data again, |
| 1:21.4 | so that's pretty much all you need to then hide data in extended attributes. |
| 1:28.4 | Extended attributes can also be just search for, |
| 1:32.0 | and that's another thing that Xavier wrote, |
| 1:34.8 | a little script to find files with extended attributes. |
| 1:38.2 | I basically list the name of these extended attributes, |
| 1:40.4 | as well as the content, |
| 1:41.7 | to allow you to double check if, well, these are normal, |
| 1:44.3 | like, for example, POSIX or if there may be some malware hiding data in this particular |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.