SANS Stormcast Monday, December 22nd, 2025: TLS Callbacks; FreeBSD RCE; NIST Time Server Issues

The episode opens with a deep dive into TLS, not the familiar Transport Layer Security, but Threat Local Storage. This mechanism lets attackers inject environment variables into executables and DLLs, triggering code before the main entry point runs. Because the payload resides in what appears to be benign configuration data, traditional static analysis often misses it. Security researchers and reverse engineers are urged to expand their tooling to inspect TLS callbacks, especially when dissecting Windows malware that leverages DLL entry points.

A critical vulnerability in FreeBSD is highlighted, where IPv6 router advertisements are processed even on systems without IPv6 enabled. Maliciously crafted domain strings in the DNS search list are passed to shell scripts without validation, granting arbitrary code execution to any network‑adjacent attacker. The flaw directly impacts popular firewall distributions such as OPNsense and pfSense, both of which have released patches or configuration work‑arounds. Administrators are advised to apply updates promptly and consider enabling router‑advertisement guard on managed switches to restrict unsolicited advertisements to trusted routers only.

The final segment covers the unexpected outage at NIST’s Boulder time‑server facility caused by prolonged generator use during high‑wind events. While redundancy across Colorado and Maryland sites prevents a total loss of service, the incident underscores the fragility of single‑point time sources. Practitioners should avoid relying exclusively on NIST servers and instead synchronize with a diversified pool of NTP servers, such as the public NTP pool project. This broader lesson reinforces the need for resilient infrastructure design across all critical internet services.