SANS Stormcast (Oct 30, 2025) – Summary

Host: Johannes B. Ullrich
Main Topics: Memory-Only Filesystems Forensics, Azure Outage, Docker Compose Vulnerability

Episode Overview

This episode centers on three current cybersecurity developments: forensic challenges of memory-only (RAM-disk) filesystems in Linux, a significant authentication outage with Microsoft Azure’s Front Door service, and a newly patched vulnerability in Docker Compose that could allow writes outside the expected directory. Johannes B. Ullrich provides practical insight and context to each topic, referencing listener feedback and industry news.

Key Discussion Points & Insights

1. Memory-Only (RAM-disk) Filesystems and Forensics

[00:22]

Overview:
Jim’s diary discusses forensic challenges when dealing with memory-only filesystems in Linux, such as DEFSHM and RAM-mounted /tmp.
Technical Difficulty:
Unlike disk-based filesystems, these have no associated block device—so traditional disk imaging tools like dd won’t work.
Jim’s Shell Script:
- Suggests collecting metadata with stat and copying individual files.
- Admits it’s not forensically perfect (“doesn’t… create a bit by bit copy” [00:47]), but it’s practical.
Potential Issues:
Cautions regarding “odd file names… as you’re passing them to the command line” [01:07].
- Recommends checking file names before copying.
- Listener asked for a follow-up diary to address more edge cases.
Engagement:
Johannes invites further suggestions:

“If anybody has any other better ideas, please let me know.” (01:24)

2. Microsoft Azure Outage (Front Door Authentication)

[01:31]

Incident Details:
- Microsoft Azure’s authentication service (“Front Door”) experienced an outage, making some services inaccessible to users.
- Direct impact on SANS systems, including exam access.
Scope & Recovery:
- “A little bit more limited... one specific system that failed… authentication part” [01:35].
- Outage was being resolved as Johannes recorded the episode.
DNS Rumors:
- Public speculation pointed to DNS; “I somewhat doubt that this was DNS related.” (02:06)
- Microsoft’s own notes don’t mention DNS as a cause.
Comparison to AWS Outage:
- People conflated this with a recent AWS outage:
  
  “It was only Azure that was affected, not AWS.” (02:26)
- Down Detector spike for AWS likely due to social media chatter, not actual AWS service problems.
Clarification:
Johannes emphasizes only Azure was affected.

3. Docker Compose Vulnerability and Patch

[02:42]

Nature of the Vulnerability:
- Docker Compose could include remote “OCI artifacts” that result in files being created outside the designated project directory—violating containment expectations.
Affected Tools:
- Docker Compose is also used by Docker Desktop and similar tools.
Risk & Patch:
- “A patch was released. Exploitation is certainly likely…” [03:06]
- Especially risky since Compose is often used to build from third-party sources.
- Exploitation “pretty straightforward.” (03:19)
Recommendation:
Immediate patching is advised for anyone using Docker Compose.

Notable Quotes & Memorable Moments

On memory-only forensics:

“The problem now is that dd, your standard tool that you’re using to make sort of forensically sound copies of data… don’t work on these memory only file systems.” – Johannes B. Ullrich [00:37]
On Azure outage rumors:

“I don’t see anything related to DNS in Microsoft’s notes here about this particular incident, so I somewhat doubt that this was DNS related.” – Johannes B. Ullrich [02:06]
On Docker Compose vulnerability:

“This is certainly something that’s somewhat exploitable and should be patched. Also, exploitation at this point is pretty straightforward.” – Johannes B. Ullrich [03:17]

Timestamps for Major Segments

[00:22] Memory-only filesystems forensics problem and Jim’s workaround
[01:31] Azure “Front Door” authentication outage overview and industry context
[02:42] Details and impact of the Docker Compose OCI artifact vulnerability

Episode Tone & Style

Practical and succinct: Delivers up-to-date news with enough technical context for professionals.
Listener-focused: Frequently references listener feedback, inviting further participation.
Balanced: Avoids speculation, corrects misinformation (e.g., DNS rumors), and distinguishes facts from public perception.

For Listeners

Further Reading/Participation: Listeners are encouraged to check out the SANS Internet Stormcenter diary for more technical details and to suggest further solutions or improvements, particularly concerning forensics on memory-only filesystems.
Action Items: Patch Docker Compose installations; check for Azure service accessibility if affected.

SANS Stormcast (Oct 30, 2025) – Summary

Host: Johannes B. Ullrich
Main Topics: Memory-Only Filesystems Forensics, Azure Outage, Docker Compose Vulnerability

Episode Overview

Key Discussion Points & Insights

1. Memory-Only (RAM-disk) Filesystems and Forensics

[00:22]

Overview:
Jim’s diary discusses forensic challenges when dealing with memory-only filesystems in Linux, such as DEFSHM and RAM-mounted /tmp.
Technical Difficulty:
Unlike disk-based filesystems, these have no associated block device—so traditional disk imaging tools like dd won’t work.
Jim’s Shell Script:
- Suggests collecting metadata with stat and copying individual files.
- Admits it’s not forensically perfect (“doesn’t… create a bit by bit copy” [00:47]), but it’s practical.
Potential Issues:
Cautions regarding “odd file names… as you’re passing them to the command line” [01:07].
- Recommends checking file names before copying.
- Listener asked for a follow-up diary to address more edge cases.
Engagement:
Johannes invites further suggestions:

“If anybody has any other better ideas, please let me know.” (01:24)

2. Microsoft Azure Outage (Front Door Authentication)

[01:31]

Incident Details:
- Microsoft Azure’s authentication service (“Front Door”) experienced an outage, making some services inaccessible to users.
- Direct impact on SANS systems, including exam access.
Scope & Recovery:
- “A little bit more limited... one specific system that failed… authentication part” [01:35].
- Outage was being resolved as Johannes recorded the episode.
DNS Rumors:
- Public speculation pointed to DNS; “I somewhat doubt that this was DNS related.” (02:06)
- Microsoft’s own notes don’t mention DNS as a cause.
Comparison to AWS Outage:
- People conflated this with a recent AWS outage:
  
  “It was only Azure that was affected, not AWS.” (02:26)
- Down Detector spike for AWS likely due to social media chatter, not actual AWS service problems.
Clarification:
Johannes emphasizes only Azure was affected.

3. Docker Compose Vulnerability and Patch

[02:42]

Nature of the Vulnerability:
- Docker Compose could include remote “OCI artifacts” that result in files being created outside the designated project directory—violating containment expectations.
Affected Tools:
- Docker Compose is also used by Docker Desktop and similar tools.
Risk & Patch:
- “A patch was released. Exploitation is certainly likely…” [03:06]
- Especially risky since Compose is often used to build from third-party sources.
- Exploitation “pretty straightforward.” (03:19)
Recommendation:
Immediate patching is advised for anyone using Docker Compose.

Notable Quotes & Memorable Moments

On memory-only forensics:

“The problem now is that dd, your standard tool that you’re using to make sort of forensically sound copies of data… don’t work on these memory only file systems.” – Johannes B. Ullrich [00:37]
On Azure outage rumors:

“I don’t see anything related to DNS in Microsoft’s notes here about this particular incident, so I somewhat doubt that this was DNS related.” – Johannes B. Ullrich [02:06]
On Docker Compose vulnerability:

“This is certainly something that’s somewhat exploitable and should be patched. Also, exploitation at this point is pretty straightforward.” – Johannes B. Ullrich [03:17]

Timestamps for Major Segments

[00:22] Memory-only filesystems forensics problem and Jim’s workaround
[01:31] Azure “Front Door” authentication outage overview and industry context
[02:42] Details and impact of the Docker Compose OCI artifact vulnerability

Episode Tone & Style

Practical and succinct: Delivers up-to-date news with enough technical context for professionals.
Listener-focused: Frequently references listener feedback, inviting further participation.
Balanced: Avoids speculation, corrects misinformation (e.g., DNS rumors), and distinguishes facts from public perception.

For Listeners

Further Reading/Participation: Listeners are encouraged to check out the SANS Internet Stormcenter diary for more technical details and to suggest further solutions or improvements, particularly concerning forensics on memory-only filesystems.
Action Items: Patch Docker Compose installations; check for Azure service accessibility if affected.

wavePod

SANS Stormcast Thursday, October 30th, 2025: Memory Only Filesystems Forensics; Azure Outage; docker-compose patch

Powered by Wave AI

Summary

SANS Stormcast (Oct 30, 2025) – Summary

Episode Overview

Key Discussion Points & Insights

1. Memory-Only (RAM-disk) Filesystems and Forensics

2. Microsoft Azure Outage (Front Door Authentication)

3. Docker Compose Vulnerability and Patch

Notable Quotes & Memorable Moments

Timestamps for Major Segments

Episode Tone & Style

For Listeners

Summary

SANS Stormcast (Oct 30, 2025) – Summary

Episode Overview

Key Discussion Points & Insights

1. Memory-Only (RAM-disk) Filesystems and Forensics

2. Microsoft Azure Outage (Front Door Authentication)

3. Docker Compose Vulnerability and Patch

Notable Quotes & Memorable Moments

Timestamps for Major Segments

Episode Tone & Style

For Listeners