Summary4 min read

SANS Stormcast Podcast Summary

Date: March 10, 2026
Host: Johannes B. Ullrich
Episode Focus: Encrypted Client Hello & ExifTool Vulnerability

Episode Overview

In this episode, Johannes B. Ullrich provides a concise update on key shifts in internet security, focusing on the recently standardized Encrypted Client Hello (ECH) for TLS and a critical vulnerability in ExifTool—an image metadata extraction tool. An additional advisory is given for Nextcloud Flow users regarding a serious Windmill component flaw.

Key Discussion Points

1. New RFCs for Encrypted Client Hello

RFC 9848 & RFC 9849 Published
- [00:30] Two new RFCs standardize the Encrypted Client Hello (ECH) in TLS.
- Previously, only the Server Name Indication (SNI) was encrypted; now, nearly the entire Client Hello can be protected, boosting privacy by hiding metadata such as the hostname.
Why It's Important
- [01:15] Client Hello often leaks identifying information, undermining user anonymity.
- Encrypting the entirety of the Client Hello also prevents fingerprinting by observers (identifying browsers/clients via handshake metadata).
How It Works
- [02:05] Encryption of the Client Hello requires communicating the public key for encryption. This is done via DNS, using either the HTTPS DNS record type (primarily for web traffic) or Service Binding type for other TLS applications.
Adoption Status
- [02:45] Cloudflare is a leader in deploying ECH. For paying customers, enabling ECH is as simple as checking a box in the dashboard.
Implications for Defenders
- [03:10] ECH reduces visibility into network traffic for defenders and analysts.
- Blocking ECH might inadvertently break HTTP/3/QUIC and other services negotiated through these DNS records, so carefully evaluate before implementing blocks.
Notable Quote:
- “With this extension it’s now possible to encrypt the complete client hello. This also does prevent some fingerprinting, basically figuring out what browser or other client you may be using.” — Johannes B. Ullrich [01:15]

2. Critical Vulnerability in ExifTool

Background and Use Cases
- [04:08] ExifTool is a command-line utility common on Unix systems, used for extracting metadata (like geolocation) from images.
Nature of Vulnerability
- [04:20] The vulnerability enables potential command execution, especially when ExifTool is used to handle user-submitted images improperly.
- Particularly risky when using the -N (raw data mode) option—which outputs data as found, without parsing.
Platform Risk
- [04:35] macOS is specifically mentioned as vulnerable due to bundling affected ExifTool versions, and no patch is available yet.
Update Expectations
- [05:10] Apple’s irregular patch schedule delays fixes. A macOS update, expected next week, is likely to address ExifTool and other open-source tool flaws.
Notable Quote:
- “This latest vulnerability could potentially be used for command execution. So scenarios where this is particular critical is where you have, for example, a web application that processes EXIF data from user-submitted data and then, well, isn’t doing so carefully enough.” — Johannes B. Ullrich [04:20]

3. Nextcloud Flow: Windmill Secret Leak Vulnerability

Description & Impact
- [05:28] Users self-hosting Nextcloud Flow should urgently update due to a flaw in the bundled Windmill component.
- Vulnerability leaks the super admin secret in the users_config.json file, enabling attackers to authenticate as administrators.
Severity and Vector
- [05:45] CVSS score: 8.8, but technically “adjacent”—requires same network segment access for exploitation.
- Announcement is sparse on technical detail, but the risk is considered critical.
Expert Caution
- “I would be a little bit more careful here and definitely consider this a critical vulnerability.” — Johannes B. Ullrich [06:10]

Memorable Moments & Quotes

“Cloudflare, as so often, has been one of the frontrunners here when it comes to encrypted client hellos. And if you have a paid for Cloudflare account, well, it’s just checking a checkbox and you have it enabled.” — Johannes B. Ullrich [02:45]
“If you’re blocking these HTTPS or these SVCB records... you will also lose HTTP/3 or QUIC because that’s also negotiated via these HTTPS records... so just blocking HTTPS outright may be an option, but... make sure that it’s in line with what you need for your business.” — Johannes B. Ullrich [03:30]
“Let’s hope—we’re sort of expecting actually an update next week for macOS that they’ll include an update for ExifTool.” — Johannes B. Ullrich [05:10]

Timestamps of Key Segments

| Timestamp | Topic | |-----------|------------------------------------------| | 00:30 | Introduction to new RFCs for TLS ECH | | 01:15 | Privacy improvements; fingerprinting | | 02:05 | Technical mechanics: DNS role in ECH | | 02:45 | Cloudflare deployment & user activation | | 03:10 | Detection/blocking and business impact | | 04:08 | ExifTool background and vulnerability | | 04:35 | macOS risk and patching | | 05:28 | Nextcloud Flow Windmill vulnerability | | 05:45 | Vulnerability details, exploitation risk |

Takeaways & Recommendations

Security Teams: Familiarize yourself with ECH, update detection and visibility strategies, and assess any impact on network monitoring or filtering policies.
System Administrators: Audit your deployment of image processing tools, especially ExifTool, and prepare to patch on all Unix/macOS systems.
Nextcloud Admins: Update promptly to remediate Windmill-related credential leaks.
All listeners: Stay abreast of quickly changing standards and vulnerabilities via the SANS Internet Storm Center.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, March 10, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS Edu Graduate Certificate Program in Cybersecurity Leadership. Today I noticed that last week two RFCs were published that well, have been in the work for a while and actually I thought they already had been published, but guess they were not. The first one is 9848 that's bootstrapping TLS encrypted client hello with DNS service bindings. And the second1 is 9849 TLS encrypted client hello. So what this does is really it establishes a standard for encrypted TLS client hello hellos. This has been sort of an ongoing issue because it was sort of the one information leak that still existed in TLS as part of the client hello. The client typically will send for example, the hostname of the client it's going to connect to, which of course does remove part of the anonymity privacy that you expect from tls. So with this extension it's now possible to encrypt the complete client hello. This also does prevent some fingerprinting, basically figuring out what browser or other client you may be using. There has been prior to this proposal for encrypted server name indication that basically just encrypts the host name being communicated during the client hello. But with this proposal now the entire client hello is being encrypted, or most of it. And that of course solves a bigger problem and really also is not any more complicated than just encrypting the server name. So that's why server name indication got kind of deprecated and we now only have the complete client hello encryption. Now the trick with these client hello encryptions is that we somehow have to communicate the public key that's being then used for encryption because the client hello is the first data packet being sent as part of a TLS handshake that happens via DNS. There are two DNS types that are being used here. One is HTTPs. That's the one that you are most likely going to see because most likely you're going to see this used with HTTPs and that's already HTTPs type comes in and then we also have service binding type that one is basically for any other TLS application, not HTTPs that may take advantage of. So yes, the standard is out there and it has already been implemented and used for a while. Actually that's why I was a little bit surprised that the standard actually hadn't been released yet. Cloudflare, as so often has been one of the frontrunners here when it comes to encrypted client hellos. And if you have a paid for Cloudflare account, well it's sms just checking a checkbox and you have it enabled. Now if you're looking at it from a detection point of view, of course it removes details from your network. You could suppress encrypted client hello if you're blocking these HTTPs or these svdb records with HTTPs, you will also use http3 or quic because that's also negotiated via these HTTPs records in your favor, like maybe something that you do want. So just blocking hps outright may be an option for you have so often before you block stuff, you know, make sure that it's actually in line with whatever you need for your business. And then we have a new vulnerability, exiftool. Exiftool is a command line utility that usually comes on Unix systems that allows you to extract the EXIF data, basic comments and such that are being embedded in image formats. This can be a very useful tool, for example to extract things like geolocation information or other metadata from a particular image. But the tool has had issues in the past and this latest vulnerability could potentially be used for command execution. So scenarios where this particular critical is where you do have for example a web application or such that processes EXIF data from user submitted data and then well, isn't doing so carefully enough. In particular here there is the N option EXIF tool that does output data as it finds it. It doesn't sort of try to parse it. So when you're using that raw data mode that will trigger this vulnerability. Kaspersky who found the vulnerability is particular pointing out here that macOS systems are vulnerable because they come with the vulnerable version of exiftools and so far there hasn't been a patch. This has been a little bit an issue with Macs in general that they're using these open source tools. But then of course they only sort of have these sort of somewhat irregular patch days where they then patch all the. Well lately recently discovered open source vulnerabilities and let's hope we're sort of expecting actually an update next week for macOS that they'll include an update for Exiftool and for anybody self hosting cloud services. If you're using nextcloud Flow, I highly recommend you update. There is a vulnerable Windmill version in nextcloud Flow. That does leak the super admin secret which well can then be used to basically authenticate as an administrator. This is part of the entire Windmill users config JSON file that's being leaked here. Now a couple things about the vulnerability announcement. It's fairly sparse so not a lot of details here and doesn't really say exactly how it happens. The CVSS score of this is 8.8 in part it doesn't make soft denying the critical range because it says that in order to exploit it the attack vector is adjacent which in my opinion usually means you have to be certain it's in the same network segment. Now without any additional details I can't really question that how this happens. Maybe not some kind of multicast DNS packet or so that leaks it, but I would be a little bit more careful here and definitely consider this a critical vulnerability. Well and this is it for today so thanks for listening, thanks for liking and thanks for subscribing and talk to you again tomorrow. Bye.