CyberWire Daily - Signed, sealed, exploitable. [Research Saturday]
Episode Date: June 21, 2025Dustin Childs, Head of Threat Awareness at Trend Micro Zero Day Initiative, joins to discuss their work on "ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Mana...ger Supply Chains." The research explores two critical vulnerabilities (ZDI-23-1527 and ZDI-23-1528) that could have enabled attackers to hijack the Microsoft PC Manager supply chain via overly permissive SAS tokens in WinGet and official Microsoft domains. While the issues have since been resolved, the findings highlight how misconfigured cloud storage access can put trusted software distribution at risk. The post also includes detection strategies to help defenders identify and mitigate similar threats. The research can be found here: ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So they were looking at PC manager
and noticed that the SaaS tokens
that allowed access to the cloud resources
were overly permissive.
So as they dug into it, they found
that they could have allowed attackers to either retrieve
sensitive data in an information disclosure
or manipulate sensitive data in kind of a spoofing attack.
That's Dustin Childs, head of threat awareness
with Trend Micro's Zero Day Initiative.
The research we're discussing today
is titled ZDI-231527 and ZDI-231528, the potential impact
of overly permissive SaaS tokens on PC manager supply chains.
We get that the intent is to simplify access, but in cases like this, it actually unintentionally
introduced some serious security risk,
especially at the supply chain level.
I see. Well, let's back up a little bit here together.
Can you lay out for us what Microsoft PC Manager is
and the role it plays in the Windows ecosystem?
PC Manager is really designed to do what its name says,
and that's to manage PCs remotely.
And it's really a...
I call it an asymmetric tool because one person can then manage
a bunch of different PCs.
So you can manage your storage, you can have pop-up managements.
It's really meant to be a defensive tool,
but also a system administration tool to help in terms
of allowing someone to really have a lot of
control over the systems within their purview.
What about these shared access signature tokens?
What can you tell us about those?
SAS tokens are used to grant
limited access to Azure storage resources.
And really they're designed to say, okay, you as an individual get access to this specific resource and not others.
However, they can be configured too broadly.
And a lot of times that happens when people are just trying to make things work and they get it working.
They say, okay, don't touch it.
And they don't get restrictive enough.
And they can be abused by attackers to either alter software packages or inject malicious code,
effectively turning a helpful feature, like what a SaaS token really is, into a supply chain threat vector.
Well, in the research, you identified two vulnerabilities.
Let's start with the first one here, which involves the win-getage Manager and the overly permissive SAS token here.
Can you walk us through the issue?
Sure.
It really is, without getting deeply technical,
there's the token for this component.
It's just really overly permissive.
So it's really just designed to get specific packages.
Unfortunately, because the value is a little bit more broadly,
you can actually get more than you were intended to receive
or more than really what it's designed for.
And even to the point where,
like the max validity of the key we found was 9,999 years,
which really should, I don't think they're going to support Windows that long.
Yeah.
Well, you never know, right?
You never know.
I mean, XP is still out there someplace.
Industrial control systems, right?
Yeah.
Industrial control system, definitely.
But that's the thing with this particular token is we found that it was overly permissive and that we could get into the details of exactly where it was, but it's
really just giving you access to resources that it wasn't intended to.
Well, help me understand here. So the way that these tokens are configured and deployed,
I mean, is this permissiveness baked into them or is this something that the users are
configuring themselves?
Well, in this case, it's tokens that come from Microsoft.
So it's permissiveness that's baked in.
Now, it can be controlled and tightened down by the user.
And that's one thing that we are recommending to do.
But it's I mean, these are default tokens that are issued by Microsoft.
I see. Well, the second scenario you all described,
this involves downloads from PCManager.Microsoft.com.
What was the potential supply chain compromise here?
Well, in this case, what you really could do is,
it's a tool obviously for hijacking,
it could be used for hijacking PC manager.
And it's a tool that is very much recommended by Microsoft.
It's in the App Store. You can do a win-get for it.
The supply chain threat is here that it allows you to actually upload things
rather than just download.
So you could potentially upload zip files containing attacker controlled
malicious scripts or binary signed with leak certificates and so on. So you could actually
kind of infect what you're downloading, what others would be downloading, thereby impacting
the supply chain. I see. Are there any additional real world implications that you can think of that if attackers had exploited
these vulnerabilities?
Well, obviously the supply chain threat is there.
You could get packages to the Microsoft site
that would didn't be downloaded to others.
But I think the other thing is the spoofing information
where you could take something
and just make it look a little bit off
so that it wouldn't seem off at first glance until that data was acted on.
And that was really, I would almost say, like a nation-state sort of attack to be that subtle
if you're going to do something like this.
But also just the download of information.
You can learn a lot about somebody or a target just by downloading everything that they have available and looking at it.
So those are real world things and especially the information disclosure, I think is probably the most likely thing to occur.
But then uploading bad files or bad zip files or other things, that's the second most likely thing to occur like we discussed.
We'll be right back.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire.
And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks
before they start without adding
extra complexity to your day.
See how ThreatLocker can help you
lock down your environment at www.threatlocker.com.
So you all notified Microsoft upon discovering these sorts of things. What did that disclosure look like and what was Microsoft's response?
So we disclose a lot of things to Microsoft and we literally disclose 100 plus things
to Microsoft every year.
So we're very familiar with their process
and they're very familiar with us.
So it goes the same way where we contact the MSRC,
that's the Microsoft Security Response Center.
We hand them our report and say,
this is our problem.
This is what we have found in our research.
They say, okay, we'll open a case.
The first thing they do, I used to work at Microsoft as well. So I know this from both sides
They reproduce the issue and verify it and then begin working on a fix in this case since
The fix is really an online service. We reported it at the end of September and about a week later
They were able to address the vulnerability
Through an online service update.
Yeah.
It usually takes 90 to 120 days when we're talking about software vulnerabilities, like
something in Word or Windows or Excel, that sort of thing.
But online services, they're usually able to address within a week or two.
Like I said, it was about a week for this one.
That's interesting.
My next question was going to be,
how do folks calibrate their expectations
when having an exchange like this from Microsoft?
But it seems certainly in this case,
the response was pretty reasonable.
Yes, we think so.
And Microsoft is a very mature program.
They've been doing this since the early 2000s,
the MSRC has existed.
But that's not true of every vendor in every sector.
For example, certain sectors like IOT,
since you mentioned it before,
are very, what I would call immature
in the response process.
And their response takes much longer.
It is not as mature as the Microsofts,
the Apples, the Googles, et cetera.
Okay.
Well, for organizations who are relying on cloud storage and distribution,
what are the lessons here that we can learn regarding access controls and token permissions?
Yeah, I think the biggest thing is that
we'll always look for the privilege of least privilege,
the principle of least privilege.
Give permissions absolutely only necessary
for what you're doing for that task.
But I think the other thing to note is
there's a lot of configurations,
there's a lot of settings in these cloud services
that are easy to misunderstand.
And I don't want to put that on the end user
because Microsoft and these other cloud service providers
are also misunderstanding some of these things
in some of their own products and services.
So it definitely is one of the things
where you need to understand that there's definitely
problems in that cloud is not a panacea
and it's not automatically safe.
You need to really understand the controls, you need to understand the options, and you
need to understand the setup of a particular cloud service that you're using to ensure
that it actually is secure.
Do you have any tips and any words of wisdom in terms of best practices for organizations
looking to secure their supply chains against these sorts of things? Well, yeah, definitely.
And this sounds so simple and it's so silly.
But still the best thing you can do
is make sure that you're up to date on your security patches.
Everyone has been saying that for 20 years.
And it's still the best advice because zero days are very rare.
Even to this day, even though they are increasing,
they're still very rare.
N days, something that has been patched for N number of days,
are much, much more common and much, much more prevalent.
So the best thing you can do is stay up to date
on all of your security patches.
That could be difficult.
I know patch management is a very difficult thing,
even in the cloud space.
That's also a big thing in the cloud space, is a very difficult thing, even in the cloud space.
That's also a big thing in the cloud space,
is understand who is responsible, you
or the service provider, for applying updates,
for making those changes, for ensuring
that you're staying on top of all of the things that
are going on in the security world.
There's a lot of confusion in that, where end users will
think the vendor is doing it, but the vendor is actually not.
And that goes across multiple cloud vendors.
So definitely make sure you understand who is responsible for what in your cloud enterprise.
And whenever possible, make sure you are up to date on all of your patches.
All right.
Well, Dustin, I think I have everything I need for our story here. Is there anything
I missed, anything I haven't asked you that you think it's important to share?
Well, I mean, you touched on it a little bit, and I just think the concept of coordinated
disclosure is really important, both for security researchers, security vendors, and software
providers themselves. And that allows us all to work together with an established timeline,
with established kind of responsibilities to fix things before they are made public,
reducing the window of exposure of threat to the end user. Obviously, you know, we want to make
sure our research is put out there and known and we want to show that we have great researchers,
but we also don't want to put end users at risk.
And that's why coordinated disclosure,
it works so well for us because when we contact Microsoft,
they know what we are going to do
and we know what they are going to do.
So we work together to actually address
these security problems before they're exploited
by the threat actors and the really bad guys.
So that to me is one area where this really shows
how coordinated disclosure worked and worked well.
Our thanks to Dustin Childs from Trend Micro's Zero Day Initiative for joining us.
The research is titled, The Potential Impact of Overly Permissive SaaS Tokens
on PC Manager Supply Chains.
We'll have a link in the show notes.
We'd love to hear from you.
We're conducting our annual audience survey
to learn more about our listeners.
We're collecting your insights until the end of the summer.
There's a link in the show notes.
Please do check it out.
This episode was produced by Liz Stokes. We're mixed by Elliot Peltsman and Trey Hester.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next time. you