Critical Vulnerabilities Discussed in SANS Internet Storm Center Stormcast

In the July 3, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several critical vulnerabilities and their implications for computer security. The first vulnerability concerns the sudo command under Linux, discovered by Rich Merch of Strata Scale. This flaw is relatively easy to exploit, and an example of exploitation code was provided in Merch's blog. Patches are available for all current Linux distributions, but some older versions are not patched because the vulnerability was introduced in a more recent version of sudo. The issue lies in the root change option of sudo, which allows commands to be executed in a restricted environment. However, this option can allow a user to map files that sudo will use and execute, creating a security flaw. Unlike previous vulnerabilities where sudo restrictions were bypassed, this flaw allows any system user to execute commands as root, regardless of the sudo configuration. Next, Ullrich addresses a vulnerability in the ZIP file format. Although this format is old, it presents an interesting ambiguity. The end of central directory record contains the number of entries and the length of the directory. Some software uses the number of entries to determine the content of the ZIP file, while others use the length. This divergence can lead to different results depending on the software used to inspect the ZIP file. An attacker could exploit this ambiguity to trick a victim into opening a file that has not been properly inspected. There is no universal solution to this problem, but it is recommended to use consistent implementations and not to analyze ZIP files where these two records do not match. Finally, Ullrich mentions critical updates from Cisco for the Unified Communication Manager. A common vulnerability involves static SSH credentials for root, initially intended for development but present in production versions. These credentials allow an attacker to easily connect. Users cannot modify or remove these credentials without applying the latest patch. This information is crucial for system administrators and IT security professionals. It is essential to stay informed about the latest vulnerabilities and ensure that systems are properly updated to avoid potential exploitations.