SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, May 7th, 2026: .DE DNSEC Fail; PAN OS 0-Day Patched;

6 min
May 7, 202627 days ago
Listen to Episode
Summary

This episode covers a critical DNSSEC failure affecting Germany's .de domain that caused widespread DNS resolution outages, a pre-authentication buffer overflow vulnerability in Palo Alto Networks PAN OS being actively exploited, and Google's May Android security updates with only one critical vulnerability listed.

Insights
  • DNSSEC's complexity and fail-closed design, while security-focused, creates denial-of-service risks that may outweigh spoofing threats, as evidenced by Cloudflare's decision to disable validation during the .de outage
  • Pre-authentication vulnerabilities in enterprise security appliances are particularly critical because attackers can exploit them before user credentials are validated
  • Google's shift to only publicly disclosing 'critical' Android vulnerabilities suggests a filtering approach that may obscure the true patch volume and security landscape
  • Key rotation procedures in cryptographic systems remain error-prone despite being well-established, indicating operational complexity in infrastructure management
  • Organizations exposing authentication portals publicly must assume compromise and patch immediately when critical vulnerabilities are disclosed
Trends
Pre-authentication vulnerabilities in enterprise security devices becoming active exploitation targetsDNSSEC implementation challenges highlighting tension between security robustness and service availabilitySelective vulnerability disclosure practices by major vendors reducing transparency in security patch informationIncreased reliance on fail-open mechanisms during critical infrastructure failures to maintain service continuityEnd-of-life cycles for mobile OS versions creating security gaps for users unable to upgrade
Topics
DNSSEC key rotation failuresDNS infrastructure outagesPre-authentication buffer overflow vulnerabilitiesPalo Alto Networks PAN OS securityUser ID authentication portal securityCVSS severity scoringActive exploitation of unpatched vulnerabilitiesAndroid security updates and patch managementMobile OS end-of-life support cyclesVulnerability disclosure practicesFail-closed vs fail-open security mechanismsEnterprise security appliance hardeningDNS spoofing threatsCryptographic key managementIncident response and compromise assessment
Companies
Palo Alto Networks
PAN OS pre-authentication buffer overflow vulnerability (CVSS 9.3) actively exploited in targeted attacks
Cloudflare
Disabled DNSSEC validation on resolvers during .de domain outage to restore service availability
Google
Released May Android security updates with selective vulnerability disclosure; Android 13 reached end-of-life
SANS
Podcast host organization; episode sponsored by SANS.edu undergraduate certificate program
People
Johannes Ulrich
Hosted the episode from Jacksonville, Florida; discussed DNSSEC complexity and enterprise vulnerability management
Quotes
"Well, it's not DNS. There is no way it's DNS. And in the end, it was DNS."
Johannes UlrichOpening segment
"DNSSEC, I think, is an example where it went the other way around. And as a result, it's a pretty complex protocol, lots of moving parts, lots of things that can go wrong."
Johannes UlrichDNSSEC discussion
"One of the big problems with DNSSEC is that it easily results in denial of service. And yes, there are threats with spoofing of DNS responses, but they're in some ways a lesser issue."
Johannes UlrichDNSSEC analysis
"If you must expose your user ID authentication portal to the public... well in that case definitely patch quickly assume compromise at this point."
Johannes UlrichPAN OS vulnerability guidance
Full Transcript
Hello and welcome to the Thursday, May 7th, 2026 edition of the SANS Internet Storm Sonners Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. And this episode is brought to you by the SANS.edu undergraduate certificate program in cybersecurity fundamentals. Well, it's not DNS. There is no way it's DNS. And in the end, it was DNS. This good old DNS haiku again became true yesterday with the .de, the German country top-level domain. Apparently, what happened here was a DNSSEC issue. DNSSEC, as I have often said, is one of those protocols that, well, they actually let the security people develop the protocol. You always complain that protocols aren't secure enough because security people never sort of get a say in the development until it's too late. Well, DNSSEC, I think, is an example where it went the other way around. And as a result, it's a pretty complex protocol, lots of moving parts, lots of things that can go wrong. And then, well, in the sense of good security, if it goes wrong, it usually just stops working. So it's one of those, you know, fail closed kind of systems. And that kind of what happened here with the zone The problem apparently was key rotation like with all cryptographic systems you need to rotate your keys ever so often which then also means that you need to change signatures well dinasek has a mechanism for this where you first basically make a new key live you advertise new key and the old key remains valid and also remains accessible but then you up they'd start updating signatures apparently something here went wrong they haven't really released any details yet as to what went wrong whether they made the key life too late or whether they signed the new data too early with the new key that's really not available yet what exactly happened here but the end result was that if you try to go to a .de website for several hours last night well you couldn't resolve it now a cloud fair took an interesting step in disabling dns sec validation on its server so they basically then flipped the fail open kind of a switch here and decided that well dns sec is not really important enough that you rather want to go to the website and take the risk of maybe have some DNS sac information or DNS information spoofed. Interesting event and certainly here also Cloudflare behavior which is reasonable it understandable but of course kind of tells you that one of the big problems with DNSSEC is that it easily results in denial of service And yes, there are threats with spoofing of DNS responses, but they're in some ways a lesser issue. And then, well, back to sort of our normal diet of vulnerable enterprise security devices that are already being exploited. This time, it's Palo Alto's PAN OS that is vulnerable. It affects the user ID authentication portal, which makes this particular buffer overflow vulnerability specifically serious because, well, you go to the user ID authentication portal when you're not yet authenticated. So this is a pre-authication buffer overflow vulnerability that does allow for the execution of arbitrary code. They're rating it with a severity of 9.3 on the CVSS scale. Patches are available, but Palo Alto also states that this vulnerability has already been exploited in, as usual, some limited targeted attacks. So if you must expose your user ID authentication portal to the public and there may be good reasons for it after all it is the authentication part of your enterprise sort of security stack here well in that case definitely patch quickly assume compromise at this point and well consult with palo alto for any details like indicators of compromise or other help that they may be willing to provide you and we also got the monthly patches for android from google interestingly only one critical vulnerability here listed no other vulnerabilities at all and if you wonder if that's because well google took care of all the other vulnerabilities now and we are left only with one vulnerability a month google actually stated a month or so ago that they're only going to list vulnerabilities that they consider well critical enough to be made known so there may be other patches that are included in this update that are not publicly announced like this also android 13 as of two months ago has officially reached sort of its end of life so you'll no longer get any patches for android 13 or any details on whether or not some of these vulnerabilities apply to Android 13. Well, and that's it for today. Thanks for listening. Thanks for liking. Thanks for any comments. And as always, talk to you again tomorrow. Bye.