All posts by David

ISC Releases BIND Security Updates

This post was originally published on this site

Original release date: June 19, 2019

The Internet Systems Consortium (ISC) has released updates that address a vulnerability in versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisory for CVE-2019-6471 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products

This post was originally published on this site

Original release date: June 19, 2019

Cisco has released security updates to address vulnerabilities in multiple Cisco products.  A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases Security Advisory for WebLogic

This post was originally published on this site

Original release date: June 19, 2019

Oracle has released a security alert to address a vulnerability in WebLogic. A remote attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle Security Alert and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Samba Releases Security Updates

This post was originally published on this site

Original release date: June 19, 2019

The Samba Team has released security updates to address vulnerabilities in Samba 4.9 and all versions of Samba from 4.10 onward. An attacker could exploit these vulnerabilities to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcements for CVE-2019-12435 and CVE-2019-12436 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

DHS Email Phishing Scam

This post was originally published on this site

Original release date: June 18, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications. The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment.

CISA encourages users and administrators take the following actions to avoid becoming a victim of social engineering and phishing attacks:

  • Be wary of unsolicited emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization’s helpdesk or search the internet for the main website of the organization or topic mentioned in the email).
  • Use caution with email links and attachments without authenticating the sender. CISA will never send NCAS notifications that contain email attachments.
  • Immediately report any suspicious emails to your information technology helpdesk, security office, or email provider.

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox and Firefox ESR

This post was originally published on this site

Original release date: June 18, 2019

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

dead I/O on igb-nic (ESXi 6.7)

This post was originally published on this site

Hi,

 

I’m running a homelab with ESXi 6.7 (13006603). I got three nics in my host, two are onboard and one is an Intel ET 82576 dual-port pci-e card. All nics are assigned to the same vSwitch; actually only one is connected to the (physical) switch atm.

When I’m using one of the 82576 nics and put heavy load on it (like backing up VMs via Nakivo B&R) the nic stops workign after a while and is dead/Not responding anymore. Only a reboot of the host or (much easier) physically reconnecting the nic (cable out, cable in) solves the problem.

 

I was guessing there is a driver issue, so I updated to the latest driver by intel:

 

 

[root@esxi:~] /usr/sbin/esxcfg-nics -l

Name    PCI          Driver      Link Speed      Duplex MAC Address       MTU    Description

vmnic0  0000:04:00.0 ne1000      Down 0Mbps      Half   00:25:90:a7:65:dc 1500   Intel Corporation 82574L Gigabit Network Connection

vmnic1  0000:00:19.0 ne1000      Up   1000Mbps   Full   00:25:90:a7:65:dd 1500   Intel Corporation 82579LM Gigabit Network Connection

vmnic2  0000:01:00.0 igb         Down 0Mbps      Half   90:e2:ba:1e:4d:c6 1500   Intel Corporation 82576 Gigabit Network Connection

vmnic3  0000:01:00.1 igb         Down 0Mbps      Half   90:e2:ba:1e:4d:c7 1500   Intel Corporation 82576 Gigabit Network Connection

[root@esxi:~] esxcli software vib list|grep igb

net-igb                        5.2.5-1OEM.550.0.0.1331820            Intel   VMwareCertified   2019-06-16

igbn                           0.1.1.0-4vmw.670.2.48.13006603        VMW     VMwareCertified   2019-06-07

 

Unfortunately this didn’t solve the problem.

 

However … this behaviour doesn’t occur, when I’m using one of the nics using the ne1000 driver.

 

Any idea how to solve the issue?

(… or at least dig down to it’s root?)

 

Thanks a lot in advance.

 

Regards

Chris

 

PS: I found another thread which might be connected to my problem: Stopping I/O on vmnic0  Same system behaviour, same driver.

AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability

This post was originally published on this site

Original release date: June 17, 2019

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

An attacker can exploit this vulnerability to take control of an affected system.     

Technical Details

BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. 

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.[1] After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.[2]

CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems.  

Mitigations

CISA encourages users and administrators review the Microsoft Security Advisory [3] and the Microsoft Customer Guidance for CVE-2019-0708 [4] and apply the appropriate mitigation measures as soon as possible:

  • Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.
  • Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
  • Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  
  • Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

References

Revisions

  • June 17, 2019: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Removing ‘HD Audio’ from VM

This post was originally published on this site

Hi

 

I have recieved a VM running some sensitive software (changes to MAC-addresse, IP-address, Windows settings is not good).

The VM was originally created on VMware Workstation and then imported into an 6.x ESXi/vCenter environment (now running 6.7).

 

vSphere is now complaining when trying to migrate – “Virtual Machine is configured to use a device that prevents the operation: Device ‘HD Audio’…

 

I want to remove the device but the ‘HD Audio’ device cannot be removed under VM Settings (since its not supported on vSphere).

I have read that you can delete it directly from the .vmx-file by removing:

sound.autoDetect = “TRUE”

sound.virtualDev = “hdaudio”

sound.fileName = “-1”

sound.present = “TRUE”

sound.pciSlotNumber = “35”

 

Now for my question: can I just shut down the VM, connect to ESXi-host via SSH and edit the .vmx-file, and then it wil apply at power-on?

Or do I have to first unregister the VM from the inventory and then subsequently re-register it? (and will this operation make canges to MAC-address etc.?!?).

 

Regards,

Soren