Podcast Detail

SANS Stormcast Thursday, February 26th, 2026: CLAIR Model; Cisco SD-WAN 0-Day; Cortex XDR Abuse; OpenSSL Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9826.mp3

previous
Podcast Logo
CLAIR Model; Cisco SD-WAN 0-Day; Cortex XDR Abuse; OpenSSL Vuln;
00:00

Podcast Transcript

 Hello and welcome to the Thursday, February 26, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today in
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals. Our diary today comes from
 Claire Perry, a graduate of our bachelor's degree program.
 And this diary presents the CLARE model. What this is
 about is it's about critical infrastructure. And typically
 when you're dealing with critical infrastructure, one
 of the big security models and frameworks that's often being
 used is the Purdue model. The Purdue model is well
 -established and extremely useful to sort of talk about
 some of these infrastructure security threats. But as
 Claire Perry here points out, the model is very insular in
 that it's great for you like as an operator, as a utility
 to talk about the security of an individual plant. But it
 kind of ignores the interdependencies because
 well, you don't control many of them. So it just considers
 them sort of as inputs to your plant. Well, that's sort of
 what this is attempting to fix here. So this model, this
 framework is looking very much at interdependencies like no
 external things, like all the way to policies and such that
 may affect the security of your cradle infrastructure
 systems. It's a proposal at this point. So if you have any
 feedback or such, I'm sure CLARE is happy to hear about
 it. And Cisco today published an advisory regarding
 vulnerability affecting Catalyst SD-WAN controllers.
 Also, I guess, formerly known as SD-WAN vSmart. This
 vulnerability CVSS score of 10 allows an attacker without
 authentication to gain admin privileges on the device. What
 makes this even worse is that apparently it has been
 exploited since 2023. So two or three years already out
 there and being exploited, now discovered and finally being
 patched. Cisco's advisory also lists some indicators of
 compromise. Definitely pay attention to them and make
 sure that you are not already compromised, given how long
 this particular vulnerability has already been used. There's
 also an interesting Talus blog post for this vulnerability.
 I'll link in the show notes to both. And yet another
 defensive product being abused by attackers, InfoGuard Labs,
 is talking about how the life terminal, which is part of
 Cortex-XDR, can be used as a command control channel.
 Nothing really surprising here in that sense that, you know,
 you have seen this with so many similar defensive
 products in the past where you get command execution,
 powershell execution and the like just by using this
 trusted product, which of course then much more easily
 flies under the radar and is not being detected. As I
 mentioned before, you must control these command control
 channels that you are using defensively to manage your
 systems to make sure they're not being app used, which
 means you need the audit logs and the like to be able to
 review who is doing what with these systems and well, set up
 necessarily alerts to constrain any malicious
 behavior. So if you're using Cortex-XDR, take a look at
 this particular post here to figure out, you know, how this
 applies to your particular installation. Well, and
 OpenSSL published another update, fixing a vulnerability
 that OpenSSL ranks high. It's a stack-based buffer overflow
 that could be exploited via SMIME, for example, like if
 you have some authenticated envelope data and such, and
 particularly if you're using AS-GCM as a cipher, which of
 course is not that unlikely. And essentially it happens
 when you are parsing untrusted CMS or PK-CS7 data. The
 exploitability here is a little bit more tricky. It's
 definitely exploitable for a denial of service, basically
 it crashes the process that is doing the parsing, but could
 potentially lead to code execution. The stack-based
 buffer overflows of course, exploitability depends a lot
 on what kind of like safeguards the operating
 system, the compilers and so put in place. So that varies
 depending on the system you're working on and typically is
 not easily exploitable these days if modern best practices
 were used. Well, and the good old idea of tarpitting is
 back. These days when it comes to AI companies spidering and
 collecting data from various websites. The problem right
 now of course is that AI companies are building their
 models using data that's not necessarily supposed to be
 used for building AI models. So they're bypassing some of
 the copyright protections and such that you may have applied
 to your site. But well, tarpitting still works and
 what tarpitting usually refers to is where you basically
 just, well, clog a particular attacker with more or less
 invalid data in this case. So you're basically just throwing
 noise at the agent that is collecting data from your
 website, hoping that it will be built to the AI model and
 render it less useful. And essentially just, well, create
 more work for the AI companies trying to figure out your
 data. This is a blog post by Portspoof that was published
 yesterday. And well, if you want to look at some of their
 methods, definitely take a look. And yes, you know, some
 websites already deployed similar ideas. Well, and
 that's it for today. So thanks for listening. Thanks for
 liking. Thanks for subscribing to this podcast. And as
 always, special thanks to anybody leaving a good comment
 in your favorite podcast. platform. Thanks and talk to
 you again tomorrow. Bye.