Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)

1. Upgrade your Cisco ASA to the below versions: (Depend on your Cisco ASA support which version)
   9.16.4.57
   9.18.4.22
   9.20.2.10
2. Check your firewall log or SIEM to see if there are any IOC IP hit your log.
   
   

For more detail of the IOC, please check:

https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

Check your Cisco ASA compatibility:

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Reference:

https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2?s=08

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)

H3C firewall SSL weak cipher

Nessus vulnerability scan report about H3C firewall SSL weak cipher 

Go to "Objects" -> "SSL" -> "SSL Server Policies"

You will found that even you select "TLS 1.2" and Cipher suites "High level":

SSL_RSA_with_AES_128_CBC_SHA

SSL_RSA_with_AES_256_CBC_SHA

You still false in the security scanning report and it will show weak cipher.

Solution:

Use the following 4 Cipher:

 

https://www.tenable.com/plugins/nessus/156899 

After change the cipher under firewall GUI, then SSH to the firewall

 

> system-view

 

] undo ip https enable

 

] ip https enable

 

] save force

 

] exit

 

>

 

H3C firewall SSL weak cipher

H3C Firewall Change admin portal certificate

1. Go to H3C Firewall -> SSL -> SSL Server Policies to create a new Policy e.g. "abc_2024-2026"

2. Create a PKI Domain for new cert installation

3. Go to PKI -> Certificate -> Import 2 CA cert and 1 local cert

CA to provide TWO CA cert (.cer) (When install second CA, just ignore the cert will be replace warning) and One local cert (.pfx) (RSA 2048) (This local cert need to includ private key and also ignore the cert will be replace warning)

4. SSH to the firewall 

 > show current-configuration (Enable logging on putty before run this command) 

 > system-view ] undo ip https enable 

 ] ip https ssl-server-policy <New Policy Name which is you create at step1> 

 ] ip https enable 

 ] save force 

 ] exit 

 >

H3C Firewall Change admin portal certificate

Install certificates on Symantec Messaging Gateway (SMG)

Error: No stored certificate request matches this certificate.

Manage certificates for your system. The TLS certificate is used by MTAs in each Scanner appliance; the Control Center uses the HTTPS certificate for secure Web management; Domain keys are used for DomainKeys Identified Mail (DKIM) signing of outbound mail.

Solution: SMG will not install a certificate without either:

• the private key included in the PEM file
• a CSR that already exists in the SMG

Reference: https://knowledge.broadcom.com/external/article?legacyId=TECH154806

https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=4093&MessageKey=e3c1d68d-6d91-4677-a3ee-f2f4c27a1e5b&CommunityKey=bba1e9dc-0c56-4fb5-9e3d-ef7f0d79b7ee

Install certificates on Symantec Messaging Gateway (SMG)

Free TI feed - rules.emergingthreats.net

The bad IP from emergingthreats:

https://rules.emergingthreats.net/blockrules/compromised-ips.txt

Free TI feed - rules.emergingthreats.net

Oracle JRE and JDK replacement

Azul Zulu OpenJDK 11 is a good choice.
If your computer does not have any existing Java SE installed, it is suggested that you can download and install Azul Zulu OpenJDK 11 from the Zulu Community 
Java 8, 11, 17, 21, 22 Download for Linux, Windows and macOS (azul.com)

Oracle JRE and JDK replacement

The 2 amber lights followed by 4 white lights on a DELL Latitude Laptop

1. Reseat the Original Memory: If applicable to your model, reseat the original memory module in the system. Sometimes, reseating the RAM can resolve the issue.

2. Check for Damaged RAM: If reseating the RAM doesn't work, consider checking for any visible damage to the RAM sticks. If they appear damaged, you may need to replace them.

3. Firmware Updates: Ensure that your system's firmware (BIOS) is up to date. Sometimes, updating the firmware can resolve hardware-related issues.

https://www.dell.com/community/en/conversations/latitude/latitude-7480-2-amber-lights-4-white-lights/647f7c0bf4ccf8a8dea5acf2

The 2 amber lights followed by 4 white lights on a DELL Latitude Laptop

Fortinet SSL VPN - SSL Certificate expired and you need to bypass tempoarilty

Configure SSL VPN to Not Require Certificates

Go to VPN > SSL > Settings > and un-check Require Client Certificate.

Fortinet SSL VPN - SSL Certificate expired and you need to bypass tempoarilty

Broadcom SMG - Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Support Content Notification - Support Portal - Broadcom support portal 

Due to there are bug - https://knowledge.broadcom.com/external/article/280948/edge-swg-proxysg-appliance-stalls-or-onl.html Upgrade to a version of SGOS that has a fix for this issue. The first releases to have the fix is 7.3.14.5 and 7.3.19.1 and later.

Broadcom SMG - Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Use Symantec Endpoint Protection to run the YARA rules to scan Linux servers for CVE-2024-3094

Use SEP to run the YARA rules to scan Linux servers for CVE-2024-3094

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/scanning-the-SEP-client-computer-using-custom-YARA-rules.html

Yara rule for CVE-2024-3094

https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

Reference:

https://www.kaspersky.com/blog/cve-2024-3094-vulnerability-backdoor/50873/

Use Symantec Endpoint Protection to run the YARA rules to scan Linux servers for CVE-2024-3094

Supply Chain Attack - cve-2024-3094 - CVSS 10 - xz-utils package

Current status of CVE-2024-3094 as confirmed by each distro advisory:

Fedora - Fedora 41 and Fedora Rawhide are affected (packages `xz-5.6.0-*` OR `xz-5.6.1-*`).

Debian - Affected in some release

Red Hat - No versions of Red Hat Enterprise Linux are affected.

Ubuntu - Affected in some release

OpenSUSE Tumbleweed and openSUSE MicroOS - affected

Kali Linux - Affected 

How to check your xz version?

quick check: `xz -V` 

Action:      

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable

Reference:

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html?m=1

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils  

https://news.opensuse.org/2024/03/29/xz-backdoor/

https://www.kali.org/blog/about-the-xz-backdoor/

Supply Chain Attack - cve-2024-3094 - CVSS 10 - xz-utils package

Broadcom (Symantec) SEP 14.3 RU6 bug cause Linux hang up

Error log: sisap_uc_uevent: fp was DELETED xxxxxxxxxxxxxxxxx, pid xxxx, fid xxxxxx leaving with ret=1, waiting=63, nsq=0, wait_scan=54, filename=noname 

Issue: After upgrading the Endpoint Protection client to 14.3 RU6 (14.3.2509.6000), Linux machines running the agent may get into a hung state. In the /var/log/messages file, you will see the following types of error messages: sisap_uc_uevent: fp was DELETED 

Affected and matched to our current running SEP version: Symantec Endpoint Protection (SEPM) 14.3.2509.6000 

Resolution: Upgrade the agent to the latest version (14.3.2529.6000 or later). 

Reference: Linux servers hang after upgrading to SEP 14.3 RU6 (broadcom.com)

If you plan to upgrade to 14.3 RU8 to resolve this issue.
Before you upgrade to 14.3 RU8, 
 you need to check the Kernel version is it on support list. 
 https://linux-repo.us.securitycloud.symantec.com/SAL/1.3/seplinux_supported_kernels.html  
 After the upgrade, you should to follow the following steps to check: 
 (A scheduled downtime is required)

Symantec_SEP_(DC_2.0).pdf (hicloud.net.tw)

https://s3.hicloud.net.tw/ndc/ndc_form/Symantec_SEP_%E5%AE%89%E8%A3%9D%E6%A8%99%E6%BA%96%E4%BD%9C%E6%A5%AD%E7%A8%8B%E5%BA%8F%E6%9B%B8(DC_2.0).pdf

Broadcom (Symantec) SEP 14.3 RU6 bug cause Linux hang up

Tencent Cloud VPC firewall engine upgrade

It will take several minutes to complete the upgrade and network connect will be interruption.

Tencent Cloud VPC firewall engine upgrade

Fortinet Fortigate Firewall Enable IPS

Under Security Profile -> Intrusion Prevention 

After the profile setting, you need to add into relative firewall rule to use this profile.

Reference:

https://greenclouddefense.com/knowledge-base/fortigate-enable-ips-cc-blocking/

Fortinet Fortigate Firewall Enable IPS

Aruba AP running on 10.4.0.2 or above hit a horrible bug which is rebooted unexpectedly

Solution:

Upgrade to 10.4.1.0 or above.

Resolved Issues in ArubaOS 10.4.1.0 (arubanetworks.com)

Recommend to upgrade to 10.4.1.1 since 10.4.1.0 also have another reason to crashed and reboot unexpectedly.

Resolved Issues in ArubaOS 10.4.1.1 (arubanetworks.com)

Aruba AP running on 10.4.0.2 or above hit a horrible bug which is rebooted unexpectedly

Cisco Firepower Firewall 1000 series - ASA code and FTD code relationship

On 1000 series, it is support either ASA Code or FTD code only.

In appliance mode, the hardware is configured in ASA CLI. 

In platform mode, the hardware is configured in FXOS CLI.

Cisco Firepower Firewall 1000 series - ASA code and FTD code relationship

H3C Security Management Platform - Firewall Management like Fortimanager

The H3C Security Management Platform running on H3Linux―H3C proprietary Linux operating system

H3Linux是基于CentOS进行封装的，所以安装过程和CentOS基本一致（CentOS操作系统最小化安装部署）

H3C Security Management Platform - Firewall Management like Fortimanager

Hillstone A Series NGFW Highlight and resource

Hillstone A Series NGFW Highlight

• High performance

• Full security protection

• SD-WAN ready

• ZTNA ready

• Twin-mode for Active-Active data center

• Load balancing(Link, server)

• Advance Qos(iQOS)

• Intelligent Threat Detection in Encrypted Traffic Without Decryption

• ML-based Food Protection Baseline Establishment

• Smart policy operation(policy auto-learning, policy auditing, policy hit analysis, redundancy check, log visibility, hotfix support)

FAQ

Does Hillstone provide a centralized management system?

Yes, HSM (Hillstone Security Management) centrally controls and manages multiple Hillstone devices in the network, providing the below capabilities

NGFW Manager - This module provides basic O&M management for firewalls, including:

Status Monitor: View the online status and HA status of devices;

Configuration Deployment: Manage security policies and destination-based routes for devices;

O&M Management: Implement device image update, signature database update, and configuration file management.

Policy Analyzer - To solve security policy review issues for multiple devices, Policy Analyzer of HSM can be used as a visual management platform. This platform helps you review the security policies of multiple devices, finds abnormal policies or non-compliant policies, and then provides a detailed analysis report.

How Hillstone integrates with CyberArk?

Hillstone HSM and NGFW support AAA servers such as the Radius server or LDAP server. CyberArk can integrate with the AAA server for privileged account management and password management for Hillstone HSM and NGFW.

Does Hillstone's default routing administrative distances align with Cisco or Huawei?

Hillstone default routing administrative distances aligns with Cisco.

Hillstone NGFW model supports 10G IPsec VPN

Hillstone NGFW SG-6000-A3800-IN provides IPsec VPN throughput of 12 Gbps and two SFP+ interfaces.

How does Hillstone handle when some interface's traffic almost reaches or exceeds the maximum bandwidth of the link?

Hillstone supports shaping mode and policing mode for traffic control when traffic excessed. With shaping mode, traffic shaping retains the excessed packets in a queue and then schedules the excessed traffic by increasing the latency. While with policing mode, the system will drop the traffic that exceeds the bandwidth limit.

Resource (please create an account to log in)

Hillstone Official Website

https://www.hillstonenet.com/

Hillstone User Center

https://passport.hillstonenet.com/

Technical Documentation

https://docs.hillstonenet.com/en/Content/Home.htm

CN Version: https://docs.hillstonenet.com/

Knowledge Base

https://kb.hillstonenet.com/en/

CN Version: https://kb.hillstonenet.com/cn/

Software Download

https://images-en.hillstonenet.com/

CN Version: https://images.hillstonenet.com/

Hillstone StoneOS 5.5R10 Documentation

https://docs.hillstonenet.com/contents.html?cid=2314&selected=0&is_small=1

Hillstone A Series NGFW Highlight and resource

How to resolve the login failed after Cisco Anyconnect client update via Cisco ASA connection

In the previous post https://billyfung2010.blogspot.com/2024/03/how-to-enable-cisco-asa-anyconect.html

There are solution to upgrade the Cisco Anyconnect client, but after the upgrade. It is failed to login.

The error message is "Login Failed".

The solution is Reboot the client machine. E.g. Windows laptop

It will establish a new connect to Cisco ASA.

The reason is without reboot the machine, the new client will use the same session to reconnect to ASA. But that session is being interrupted for upgrade. So, it cannot reconnect until the session being expired after 30 mins.

Reference:

If anyconnect session is interrupted, he fails to connect due to IP conflict during 30m

https://community.cisco.com/t5/vpn/if-anyconnect-session-is-interrupted-he-fails-to-connect-due-to/td-p/3416700

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available. In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image. When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior. When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator. This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA. This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS. The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands: webvpn svc keepalive 30  svc dpd-interval client 80  svc dpd-interval gateway 80 The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here: webvpn anyconnect ssl keepalive 15 anyconnect dpd-interval client 5 anyconnect dpd-interval gateway 5

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html

How to resolve the login failed after Cisco Anyconnect client update via Cisco ASA connection

Broadcom Edge Secure Web Gateway (SWG)

Upgrade from 7.3.13.2 to 7.3.14.4 - Reduce the chance of VM crash and fix the SharePoint failed to access word, excel and ppt. (When you click the file, it become "Doc.aspx" to download it without open it)

The fixed release target to release on end of March 2024

Broadcom Edge Secure Web Gateway (SWG)

SVR cyber actors adapt tactics for initial cloud access

SVR cyber actors adapt tactics for initial cloud access

https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access

https://www.ncsc.gov.uk/files/Advisory-SVR-cyber-actors-adapt-tactics-for-initial-cloud-access.pdf

SVR cyber actors adapt tactics for initial cloud access

Symantec Endpoint Protection (SEP) being restarted automatically on Linux

If you run the following command to stop and disable the SEP:

systemctl stop sisamddaemon

systemctl disable sisamddaemon

The SEP will restart itself later.

For SEP Linux agent version 14.3 RU1 and above, you can stop the SEP Linux agent using the ./stop.sh command in /usr/lib/symantec folder.

However, as per product design, stopping SEP Linux agent is not permanent. Services will be resumed if the Linux machine is restarted.

If you ./stop.sh without reboot. The SEP Linux services will remain fully stop until it is startup using ./start.sh command or on the next system reboot.

The only way to permanently stop the SEP service is uninstall it or temporary ./stop.sh without reboot the system.

How to restart the Endpoint Protection Linux daemons

https://knowledge.broadcom.com/external/article/151271/how-to-restart-the-endpoint-protection-l.html

Symantec Endpoint Protection (SEP) being restarted automatically on Linux

How to enable Cisco ASA anyconect client upgrade when they installed early version and connect to Cisco ASA firewall?

Solution: When upgrade the Cisco ASA firewall, upload the latest version of Cisco anyconnect client to ASA (Conifg>RemoteVPN>AnyconnectClientSoftware), and make the latest anyconnect client image top of the list.

Reference:

https://community.cisco.com/t5/vpn/how-to-update-to-anyconnect-secure-mobility-client-v4-x/td-p/3736308

https://community.cisco.com/t5/vpn/cisco-anyconnect-auto-update/td-p/4284803

https://community.cisco.com/t5/vpn/anyconnect-without-admin-privileges/td-p/1105561

How to enable Cisco ASA anyconect client upgrade when they installed early version and connect to Cisco ASA firewall?

Broadcom Symantec Messaging Gateway Version Upgrade

If you upgrade from 10.8.0 or earlier to 10.9.0 or above. You need to disable legacy URL reputation and Implement URL categorization policy.

Reference P3. to P4.

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/email-security/messaging-gateway/generated-pdfs/smg_release_notes_10_9_0.pdf

Broadcom Symantec Messaging Gateway Version Upgrade

The NSFOCUS SAS-H which is hardware end of support and it is not support Edge. You need to use IE mode on Edge to access.

The NSFOCUS SAS-H which is hardware end of support and it is not support Edge. You need to use IE mode on Edge to access.

The new product OSMS have been released to replace the SAS-H

Reference:

https://www.nsfocus.com.cn/html/2019/212_0926/20.html

https://www.techtarget.com/searchenterprisedesktop/tip/How-to-enable-Internet-Explorer-mode-on-Microsoft-Edge

The NSFOCUS SAS-H which is hardware end of support and it is not support Edge. You need to use IE mode on Edge to access.

Using different proxy for individual broswering via broswer shortcut

Workaround solution:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -proxy-server="x.x.x.x:8080"

The same setting -proxy-server="Proxy IP:Proxy Port" also work for IE

Reference:

https://stackoverflow.com/questions/22033401/workaround-to-have-a-standalone-proxy-settings-for-chrome

Using different proxy for individual broswering via broswer shortcut

Cannot visible the files and folder copy by robocopy (It is visible in old machine)

Run the command "ATTRIB -h -s -a d:\backups\c" to remove the hidden of the folder.

To prevent the backup folder being hidden by robocopy:

You can prevent the new directory from becoming hidden by adding the /A-:SH

Reference:

https://stackoverflow.com/questions/6584402/after-robocopy-the-copied-directory-and-files-are-not-visible-on-the-destinatio

https://forums.unraid.net/topic/133277-directory-created-by-robocopy-is-not-visible-in-windows-explorer/

Cannot visible the files and folder copy by robocopy (It is visible in old machine)

Full data backup from C Drive to external USB driver by using Robocopy

robocopy /s /z /xj /V /R:0 /W:0 /copy:DT C:\ D:\backups\c\

Reference:

https://dylanbeattie.net/2021/11/12/copying-your-hard-drive-with-robocopy.html

https://community.spiceworks.com/topic/2344362-robocopy-get-access-denied-error

https://pureinfotech.com/robocopy-recover-and-skip-files-with-errors-from-bad-hard-drive-in-windows/

https://learn.microsoft.com/en-us/answers/questions/47437/robocopy-everything-to-another-drive

https://copyprogramming.com/howto/robocopy-everything-to-another-drive

Full data backup from C Drive to external USB driver by using Robocopy

Migrate Broadcom Symantec Messaging Gateway from physical to virtual appliance with different hostname and IP address

How to migrate Broadcom Symantec Messaging Gateway from physical to virtual appliance with different hostname and IP address? 

The solution is backup in physical appliance by select Custom backup (https://knowledge.broadcom.com/external/article/180646/backup-and-restore-the-messaging-gateway.html) , do not select " Include log data" then the backup will able to restore to different hostname and IP address.

Migrate Broadcom Symantec Messaging Gateway from physical to virtual appliance with different hostname and IP address

Prepare for NTLM disable in your domain environment

Microsoft has made an announcement stating that the NTLM authentication protocol will be disabled in Windows 11. Instead, it will be replaced by Kerberos, which is currently the default authentication protocol in Windows versions above Windows 2000.

 

https://petri.com/microsoft-disable-ntlm-windows-11/

 

To prepare for this change is coming, you can enable a GPO to audit what application is using NTLM I n your environment and also what version of NTLM still using?

 

 

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1

https://superuser.com/questions/1694421/how-can-i-find-out-what-is-using-ntlm-in-my-environment

https://mahim-firoj.medium.com/how-to-check-what-ntlm-version-you-are-using-in-your-domain-9eb4aed9f317

https://4sysops.com/archives/auditing-and-restricting-ntlm-authentication-using-group-policy/

 

Prepare for NTLM disable in your domain environment