Signed, sealed, exploitable. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: Signed, Sealed, Exploitable [Research Saturday] - June 21, 2025

Hosted by Dave Bittner and featuring Dustin Childs from Trend Micro's Zero Day Initiative, this episode delves into critical cybersecurity vulnerabilities related to Microsoft’s PC Manager and the implications of overly permissive SaaS tokens.

Introduction to Research Saturday

In this episode of CyberWire Daily’s Research Saturday, host Dave Bittner engages with cybersecurity expert Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative. The discussion centers around recent vulnerabilities discovered in Microsoft’s PC Manager and the broader implications for cloud security and supply chain integrity.

Understanding Microsoft PC Manager

Dave Bittner initiates the conversation by seeking clarity on Microsoft PC Manager and its role within the Windows ecosystem.

[02:39] Dustin Childs: "PC Manager is really designed to do what its name says, and that's to manage PCs remotely... it's really meant to be a defensive tool, but also a system administration tool to help in terms of allowing someone to really have a lot of control over the systems within their purview."

PC Manager serves as a pivotal tool for remote PC management, enabling administrators to control multiple systems efficiently. However, its extensive control capabilities also make it a potential target for malicious exploitation if not properly secured.

The Role and Risks of SAS Tokens

The conversation shifts to Shared Access Signature (SAS) tokens, critical components in Azure's cloud infrastructure.

[03:16] Dustin Childs: "SAS tokens are used to grant limited access to Azure storage resources... they can be abused by attackers to either alter software packages or inject malicious code, effectively turning a helpful feature like what a SaaS token really is into a supply chain threat vector."

SAS tokens are designed to provide scoped access to specific Azure resources. However, when configured with overly broad permissions, they become a significant security risk, potentially allowing unauthorized access and manipulation of sensitive data.

Unveiling Two Critical Vulnerabilities

Dustin Childs outlines two primary vulnerabilities identified in the research ZDI 231527 and ZDI 231528:

Overly Permissive Tokens in Winget Package Manager

[04:07] Dustin Childs: "The token for this component... has a max validity of 9,999 years, which really should. I don't think they're going to support Windows that long."

The Winget Package Manager utilizes tokens intended for fetching specific packages. However, the tokens in question were excessively permissive, granting access far beyond intended scopes, including an impractical token validity period of nearly 10,000 years. This broad access could enable attackers to retrieve or manipulate sensitive data undetected.
Supply Chain Compromise via PC Manager Downloads

[05:54] Dustin Childs: "...it allows you to actually upload things rather than just download. So you could potentially upload zip files containing attacker controlled malicious scripts or binary signed with valid certificates and so on."

The vulnerability in pcmanager.microsoft.com allows not only downloading but also uploading of potentially malicious files. This capability could be exploited to introduce malicious code into the supply chain, compromising the integrity of software distributed through PC Manager.

Real-World Implications of the Vulnerabilities

Discussing the potential impact, Dustin highlights several serious consequences:

[06:43] Dustin Childs: "You could learn a lot about somebody or a target just by downloading everything that they have available and looking at it. So those are real world things and especially the information disclosure I think is probably the most likely thing to occur."

The vulnerabilities could lead to significant information disclosure, enabling attackers to steal sensitive data. Additionally, the ability to upload malicious content poses a threat to the software supply chain, potentially allowing widespread distribution of compromised software packages.

Coordinated Disclosure and Microsoft's Response

Dave inquires about the disclosure process to Microsoft and their subsequent response.

[09:54] Dustin Childs: "We disclose a lot of things to Microsoft and we literally disclose 100 plus things to Microsoft every year... In this case, since the fix is really an online service, we reported it at the end of September and about a week later they were able to address the vulnerability through an online service update."

Trend Micro follows a coordinated disclosure strategy, working closely with Microsoft’s Security Response Center (MSRC) to ensure vulnerabilities are addressed promptly. In this instance, Microsoft resolved the issue within a week, showcasing an effective and mature vulnerability management process.

Lessons for Organizations: Access Controls and Token Permissions

Dave prompts Dustin to share key lessons for organizations relying on cloud storage and distribution.

[11:52] Dustin Childs: "Always look for the principle of least privilege. Give permissions absolutely only necessary for what you're doing for that."

Emphasizing the principle of least privilege, Dustin advises organizations to meticulously configure access controls, ensuring that permissions granted to tokens are strictly limited to what is essential. Misconfigurations can inadvertently expose critical resources to unauthorized access.

Best Practices for Securing Supply Chains

Furthering the discussion, Dustin outlines essential best practices for safeguarding supply chains against such vulnerabilities:

[13:01] Dustin Childs: "Make sure that you're up to date on your security patches... understand who is responsible, you or the service provider, for applying updates, for making those changes."

Key recommendations include:

Regular Patch Management: Keeping systems and software updated to mitigate known vulnerabilities.
Clarifying Responsibilities: Understanding the division of security responsibilities between the organization and service providers, especially in cloud environments.
Vigilant Configuration Management: Ensuring that cloud services are configured correctly to prevent overly permissive access.

The Importance of Coordinated Disclosure

Wrapping up, Dustin underscores the significance of collaborative efforts in vulnerability management.

[14:27] Dustin Childs: "The concept of coordinated disclosure is really important... it allows us all to work together... reducing the window of exposure of threat to the end user."

Coordinated disclosure ensures that vulnerabilities are addressed before they become publicly exploitable, enhancing overall cybersecurity resilience. This collaborative approach benefits researchers, vendors, and end-users alike by minimizing the risk of exploitation.

Conclusion

This episode of CyberWire Daily highlights the critical nature of proper configuration and management of access tokens in cloud services. The discussion with Dustin Childs provides valuable insights into the vulnerabilities present in Microsoft’s PC Manager, the potential ramifications of such security lapses, and the best practices organizations should adopt to fortify their defenses. Emphasizing the importance of coordinated disclosure and proactive security measures, this episode serves as a crucial guide for cybersecurity professionals aiming to protect their organizations against evolving cyber threats.

For more detailed information, listeners are encouraged to review the full research report titled "The Potential Impact of Overly Permissive SaaS Tokens on PC Manager Supply Chain" available in the Show Notes.

Loading summary

Transcript32 lines

[00:02]
Dustin Childs
You're listening to the Cyberwire network, powered by N2K.
[00:12]
Dave Bittner
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[01:32]
Dustin Childs
So they were looking at PC Manager and noticed that the SaaS tokens that allowed access to the cloud resources were overly permissive. So as they dug into it, they found that they could have allowed attackers to either retrieve sensitive data in an information disclosure or manipulate sensitive data in kind of a spoofing attack.
[01:50]
Dave Bittner
That's Dustin Childs, head of Threat awareness with Trend Micro's zero day initiative. The research we're discussing today is titled ZDI 231527 and ZDI 231528 the potential impact of overly permissive SaaS tokens on PC manager supply chains.
[02:16]
Dustin Childs
And we get that the intent is to simplify access, but in cases like this, it actually unintentionally introduced some serious security risk, especially at the supply chain level.
[02:27]
Dave Bittner
I see. Well, let's back up a little bit here together. Can you lay out for us what Microsoft PC Manager is and the role it plays in the Windows ecosystem?
[02:39]
Dustin Childs
PC Manager is really designed to do what its name says, and that's to manage PCs remotely. And it's really, I call it an asymmetric tool because one person can then manage a bunch of different PCs. So you can manage your storage, you can have pop up management, you can, it's really meant to be a defensive tool, but also a system administration tool to help in terms of allowing someone to really have a lot of control over the systems within their purview.
[03:11]
Dave Bittner
And what about these shared access signature tokens? What can you tell us about those?
[03:17]
Dustin Childs
So SAS tokens are used to grant limited access to Azure storage resources. And really they're designed to say, okay, you as an individual get access to this specific resource and not others. However, they can be configured too broadly. And a lot of times that happens when people are just trying to make things work and they get it working. They say, okay, don't touch it. And they don't get restrictive enough. And they can be abused by attackers to either alter software packages or inject malicious code, effectively turning a helpful feature like what a SaaS token really is into a supply chain threat vector.
[03:52]
Dave Bittner
Well, in the research you identify two vulnerabilities. Let's start with the first one here, which involves the Winget package manager and the overly permissive SaaS token here. Can you walk us through the issue?
[04:07]
Dustin Childs
Sure. And it really is, without getting deeply technical, the token for this component, it's just really overly permissive. So it's really just designed to get specific packages. Unfortunately, because the value is a little bit more broadly, you can actually get more than you were intended to receive or more than really what it's designed for. And even to the point where like the max validity of the key we found was 9,999 years, which really should. I don't think they're going to support Windows that long.
[04:48]
Dave Bittner
Yeah, well, you never know, right?
[04:50]
Dustin Childs
You never know. I mean, XP is still out there someplace.
[04:52]
Dave Bittner
Industrial control systems, right?
[04:54]
Dustin Childs
Yeah, industrial control system, definitely. But that's the thing with this particular token is we found that it was overly permissive and that we could get into the details of exactly where it was, but it's really just giving you access to resources that it wasn't intended to.
[05:11]
Dave Bittner
Well, help me understand here. So the way that these tokens are configured and deployed, I mean, is this permissiveness baked into them or is this something that the users are configuring themselves?
[05:24]
Dustin Childs
Well, in this case it's tokens that come from Microsoft. So it's permissiveness that's baked in now. It can be controlled and tightened down by the user. And that's one thing that we are recommending to do. But it's. I mean, these are default tokens that are issued by Microsoft.
[05:42]
Dave Bittner
I see. Well, the second scenario you all described, this Involves downloads from pcmanager.Microsoft.com what was the potential supply chain compromise here?
[05:55]
Dustin Childs
Well, in this case, what you really could do is it's a tool, obviously for hijacking. It could be used for hijacking PC Manager. And it's a tool that is very much recommended by Microsoft. It's in the App Store. You can do a Winget for it. The supply chain threat is here that it allows you to actually upload things rather than just download. So you could potentially upload zip files containing attacker controlled malicious scripts or binary signed with leak certificates and so on. So you could actually kind of infect what you're downloading, what others would be downloading, thereby impacting the supply chain.
[06:35]
Dave Bittner
I see. Are there any additional real world implications that you can think of that if attackers had exploited these vulnerabilities?
[06:44]
Dustin Childs
Well, obviously the supply chain threat is there. You could get packages to the Microsoft site that didn't be downloaded to others. But I think the other thing is the spoofing information where you could take something and just make it look a little bit off so that it wouldn't seem off at first glance until that data was acted on. And that was really, I would almost say like a nation state sort of attack to be that subtle if you're going to do something like this. But also just the download of information. You could learn a lot about somebody or a target just by downloading everything that they have available and looking at it. So those are real world things and especially the information disclosure I think is probably the most likely thing to occur. But then uploading bad files or bad zip files or other things, that's the second most likely thing to occur like we discussed.
[07:43]
Dave Bittner
We'll be right back. Hey everybody. Dave here. I've talked about delete me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Cempras created Purple Knight, the free security assessment tool. That scans your active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Night to stay ahead of threats. Download it now at sempras.com purple-knight that's sempras.com purple-night so you all notified Microsoft upon discovering these sorts of things. What did that disclosure look like and what was Microsoft's response?
[09:55]
Dustin Childs
So we disclose a lot of things to Microsoft and we literally disclose 100 plus things to Microsoft every year. So we're very familiar with their process and they're very familiar with us. So it goes the same way where we contact the msrc, that's the Microsoft Security Response Center. We hand them our report and say, this is our problem. This is what we have found in our, you know, research. And they say, okay, we'll open a case. They the first thing they do. I used to work at Microsoft as well, so I know this from both sides. They reproduce the issue and verify it and then begin working on a fix. In this case, since the fix is really an online service, we reported it at the end of September and about a week later they were able to address the vulnerability through an online service update. Yeah, I mean it usually takes 90 to 120 days when we're talking about software vulnerabilities like something in Word or Windows or Excel, that sort of thing. But online services, they're usually able to address within a week or two. Like I said, it was about a week for this one.
[10:59]
Dave Bittner
Oh, that's interesting. My next question was going to be how do folks calibrate their expectations when having an exchange like this from Microsoft? But it seems certainly in this case the response was pretty reasonable.
[11:14]
Dustin Childs
Yes, we think so. And Microsoft is a very mature program. They've been doing this since the early 2000s. The MSRC has existed, but that's not true of every vendor in every sector. For example, certain sectors like IoT, since you mentioned it before, are very what I would call immature in the response process and their response takes much longer. It is not as mature as the Microsofts, the Apples, the Googles, et cetera.
[11:41]
Dave Bittner
Okay, well, for organizations who are relying on cloud storage and distribution, what are the lessons here that we can learn regarding access controls and token permissions?
[11:53]
Dustin Childs
Yeah, I think the biggest thing is that, well, always look for the privilege of least privilege. The principle of least privilege, give permissions absolutely only necessary for what you're doing for that. But I think the other thing to note is there's a lot of configurations. There's a lot of settings in these cloud services that are easy to misunderstand. And I don't want to put that on the end user because Microsoft and these other cloud service providers are also misunderstanding some of these things in some of their own products and services. So it definitely is one of the things where you need to understand that there's definitely problems in that cloud is not a panacea and it's not automatically safe. You need to really understand the controls, you need to understand the options, and you need to understand the setup of a particular cloud service that you're using to ensure that it actually is secure.
[12:52]
Dave Bittner
Do you have any tips and any words of wisdom in terms of best practices for organizations looking to secure their supply chains against these sorts of things?
[13:02]
Dustin Childs
Well, yeah, definitely. And this sounds so simple and it's so silly, but still, the best thing you can do is make sure that you're up to date on your security patches. Everyone has been saying that for 20 years and it's still the best advice because zero days are very rare even to this day. Even though they are increasing, they're still very rare in days something has been patched for n number of days are much, much more common and much, much more prevalent. So the best thing you can do is stay up to date on all of your security patches. That can be difficult. I know patch management is a very difficult thing, even in the cloud space. That's also a big thing in the cloud space is understand who is responsible, you or the service provider, for applying updates, for making those changes, for ensuring that you're staying on top of all of the things that are going on in the security world. There's a lot of confusion in that where end users will think the vendor is doing it, but the vendor is actually not. And that goes across multiple cloud vendors. So definitely make sure you understand who is responsible for what in your cloud enterprise. And whenever possible, make sure you are up to date on all of your patches.
[14:18]
Dave Bittner
All right, well, Dustin, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?
[14:28]
Dustin Childs
Well, I mean, you touched on it a little bit, and I just think the concept of coordinated disclosure is really important, both for security researchers, security vendors and software providers themselves. And that allows us all to work together with an established timeline, with established kind of responsibilities to fix things before they are made public, reducing the window of exposure of threat to the end user. Obviously, we want to make sure our research is put out there and known. And we want to show that we have great researchers, but we also don't want to put end users at risk. And that's why coordinated disclosure works so well for us. Because when we contact Microsoft, they know what we are going to do and we know what they are going to do. So we work together to actually address these security problems before they're exploited by the threat actors and the really bad guys. So that, to me, is one area where this really shows how coordinated disclosure worked and worked well.
[15:36]
Dave Bittner
Our thanks to Dustin Childs from Trend Micro's Zero Day initiative for joining us. The research is titled the Potential Impact of overly permissive SaaS tokens on PC manager supply chain. We'll have a link in the Show Notes. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until the end of the summer. There's a link in the show notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next time.