SANS Internet StormCast
SANS Stormcast Friday, December 12th, 2025: Local AI Models; Mystery Chrome 0-Day; SOAPwn Attack
AI Summary
The episode covers three main topics: running the Gemma 3 AI model locally on modest hardware, a newly patched but undisclosed Chrome zero‑day vulnerability, and the SOAPwn flaw that lets attackers exploit .NET SOAP services via malicious file:// URLs. Guy Bruneau’s diary demonstrates how to install Gemma 3 on a single‑CPU mini‑PC using Proxmox, highlighting practical steps and pitfalls. The Chrome issue underscores the importance of timely updates despite limited public details, while the SOAPwn research reveals a critical misuse of .NET’s HTTP handling that can lead to arbitrary file writes or remote code execution, especially in poorly coded APIs. Listeners are urged to keep browsers patched and review .NET SOAP implementations for this weakness.
Episode Description
Using AI Gemma 3 Locally with a Single CPU
https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/
Show Notes
SANS Stormcast – Friday, December 12 2025
Handler on Duty: Guy Bruneau – Threat Level: green
Topics Covered
-
Using AI Gemma 3 Locally with a Single CPU – Installing AI models on modest hardware can be useful for on‑premise experimentation.
https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556
-
“Mystery” Google Chrome 0‑Day Vulnerability – Google released a Chrome update fixing an actively‑exploited vulnerability that has not yet been assigned a CVE.
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
-
SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies and WSDL – WatchTowr identified a common weakness in SOAP implementations on .NET that can lead to arbitrary file writes or remote code execution.
Podcast Transcript
Hello and welcome to the Friday December 12th, 2025 edition of the
SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich,
recording today from Jacksonville, Florida. And this episode is
brought to you by the SANS.edu Graduate Certificate Program in
Cybersecurity Engineering.
AI, of course, is the big issue that everybody is worried about and
playing with these days. And well, as a first touch point, you
usually just use one of the public models like ChatGPT and such to
get a little bit experience with what these tools can do. But it
can be quite intimidating to go a step further and try to run some
of these models locally and play sort of in a more intimate
atmosphere with these particular models.
Well, Guy now wrote up a quick diary showing how to install Gemma 3
on a reasonably small home computer. In this particular case, he
used one of the new Horizon chips and one of those mini computers
that have become quite popular these days for home labs and shows
a couple of the pitfalls here, some of the problems that he ran
into trying to make this all run in the Proxmox virtualization
environment and how to configure it. And then in the end, also how
to use these tools. Certainly an interesting experiment and something
that gives you a little bit more insight in how these tools sort of
work on the backend.
And then we do have an update for Chrome with yet another already
exploited vulnerability being addressed here. This vulnerability
was, well, described a little bit as a “mystery” vulnerability and
it’s certainly odd in that there is no CVE number for it. There’s
absolutely no detail about what it is. Google usually provides a
one‑liner describing the issue, but here it just says it’s “under
coordination.” What I believe is happening is that this
vulnerability likely affects not just Chrome but possibly other
browsers or underlying libraries. They probably need to coordinate
with other vendors before releasing more details and assigning a
CVE. No reporter is identified, so we’ll have to wait for more
information – keep Chrome updated.
We also had a couple of SOAP‑related stories this week. WatchTowr
Labs published a new article – SOAP Pwn (or SOAP Pwn, however you
pronounce it) – a must‑read for anyone developing in .NET and for
penetration testers. The problem is a fundamental weakness in how
.NET handles HTTP/URL requests. If an attacker can control the URL
a user connects to and that URL starts with **file://**, .NET’s
different request‑handling classes can be confused, leading to
arbitrary file writes or even remote code execution. WatchTowr
demonstrates a proof‑of‑concept exploit against a Barracuda system.
It’s exploitable, but the impact depends on how developers have
implemented their APIs. Microsoft says it’s more a user‑error than a
framework bug, but the issue remains.
Finally, we received a CISA report summarizing recent activity by
pro‑Russian hacktivists. While hacktivists aren’t necessarily state‑
sponsored, they target both global critical infrastructure (e.g.,
power systems) and smaller manufacturers that may lack mature IT
and security programs. If you run a manufacturing environment with
remotely accessible sensors or production‑line controls, this
report is worth reviewing.
That’s it for today. Thanks for listening, for liking, subscribing,
and for the comments left in Apple’s podcast app. Talk to you again
on Monday. Bye.
Comments
Want to join the conversation?
Loading comments...