Supply Chain Attack - cve-2024-3094 - CVSS 10 - xz-utils package

Current status of CVE-2024-3094 as confirmed by each distro advisory:

Fedora - Fedora 41 and Fedora Rawhide are affected (packages `xz-5.6.0-*` OR `xz-5.6.1-*`).

Debian - Affected in some release

Red Hat - No versions of Red Hat Enterprise Linux are affected.

Ubuntu - Affected in some release

OpenSUSE Tumbleweed and openSUSE MicroOS - affected

Kali Linux - Affected 

How to check your xz version?

quick check: `xz -V` 

Action:      

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable

Reference:

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html?m=1

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils  

https://news.opensuse.org/2024/03/29/xz-backdoor/

https://www.kali.org/blog/about-the-xz-backdoor/

Supply Chain Attack - cve-2024-3094 - CVSS 10 - xz-utils package

Broadcom (Symantec) SEP 14.3 RU6 bug cause Linux hang up

Error log: sisap_uc_uevent: fp was DELETED xxxxxxxxxxxxxxxxx, pid xxxx, fid xxxxxx leaving with ret=1, waiting=63, nsq=0, wait_scan=54, filename=noname 

Issue: After upgrading the Endpoint Protection client to 14.3 RU6 (14.3.2509.6000), Linux machines running the agent may get into a hung state. In the /var/log/messages file, you will see the following types of error messages: sisap_uc_uevent: fp was DELETED 

Affected and matched to our current running SEP version: Symantec Endpoint Protection (SEPM) 14.3.2509.6000 

Resolution: Upgrade the agent to the latest version (14.3.2529.6000 or later). 

Reference: Linux servers hang after upgrading to SEP 14.3 RU6 (broadcom.com)

If you plan to upgrade to 14.3 RU8 to resolve this issue.
Before you upgrade to 14.3 RU8, 
 you need to check the Kernel version is it on support list. 
 https://linux-repo.us.securitycloud.symantec.com/SAL/1.3/seplinux_supported_kernels.html  
 After the upgrade, you should to follow the following steps to check: 
 (A scheduled downtime is required)

Symantec_SEP_(DC_2.0).pdf (hicloud.net.tw)

https://s3.hicloud.net.tw/ndc/ndc_form/Symantec_SEP_%E5%AE%89%E8%A3%9D%E6%A8%99%E6%BA%96%E4%BD%9C%E6%A5%AD%E7%A8%8B%E5%BA%8F%E6%9B%B8(DC_2.0).pdf

Broadcom (Symantec) SEP 14.3 RU6 bug cause Linux hang up

Tencent Cloud VPC firewall engine upgrade

It will take several minutes to complete the upgrade and network connect will be interruption.

Tencent Cloud VPC firewall engine upgrade

Fortinet Fortigate Firewall Enable IPS

Under Security Profile -> Intrusion Prevention 

After the profile setting, you need to add into relative firewall rule to use this profile.

Reference:

https://greenclouddefense.com/knowledge-base/fortigate-enable-ips-cc-blocking/

Fortinet Fortigate Firewall Enable IPS

Aruba AP running on 10.4.0.2 or above hit a horrible bug which is rebooted unexpectedly

Solution:

Upgrade to 10.4.1.0 or above.

Resolved Issues in ArubaOS 10.4.1.0 (arubanetworks.com)

Recommend to upgrade to 10.4.1.1 since 10.4.1.0 also have another reason to crashed and reboot unexpectedly.

Resolved Issues in ArubaOS 10.4.1.1 (arubanetworks.com)

Aruba AP running on 10.4.0.2 or above hit a horrible bug which is rebooted unexpectedly

Cisco Firepower Firewall 1000 series - ASA code and FTD code relationship

On 1000 series, it is support either ASA Code or FTD code only.

In appliance mode, the hardware is configured in ASA CLI. 

In platform mode, the hardware is configured in FXOS CLI.

Cisco Firepower Firewall 1000 series - ASA code and FTD code relationship

H3C Security Management Platform - Firewall Management like Fortimanager

The H3C Security Management Platform running on H3Linux―H3C proprietary Linux operating system

H3Linux是基于CentOS进行封装的，所以安装过程和CentOS基本一致（CentOS操作系统最小化安装部署）

H3C Security Management Platform - Firewall Management like Fortimanager

Hillstone A Series NGFW Highlight and resource

Hillstone A Series NGFW Highlight

• High performance

• Full security protection

• SD-WAN ready

• ZTNA ready

• Twin-mode for Active-Active data center

• Load balancing(Link, server)

• Advance Qos(iQOS)

• Intelligent Threat Detection in Encrypted Traffic Without Decryption

• ML-based Food Protection Baseline Establishment

• Smart policy operation(policy auto-learning, policy auditing, policy hit analysis, redundancy check, log visibility, hotfix support)

FAQ

Does Hillstone provide a centralized management system?

Yes, HSM (Hillstone Security Management) centrally controls and manages multiple Hillstone devices in the network, providing the below capabilities

NGFW Manager - This module provides basic O&M management for firewalls, including:

Status Monitor: View the online status and HA status of devices;

Configuration Deployment: Manage security policies and destination-based routes for devices;

O&M Management: Implement device image update, signature database update, and configuration file management.

Policy Analyzer - To solve security policy review issues for multiple devices, Policy Analyzer of HSM can be used as a visual management platform. This platform helps you review the security policies of multiple devices, finds abnormal policies or non-compliant policies, and then provides a detailed analysis report.

How Hillstone integrates with CyberArk?

Hillstone HSM and NGFW support AAA servers such as the Radius server or LDAP server. CyberArk can integrate with the AAA server for privileged account management and password management for Hillstone HSM and NGFW.

Does Hillstone's default routing administrative distances align with Cisco or Huawei?

Hillstone default routing administrative distances aligns with Cisco.

Hillstone NGFW model supports 10G IPsec VPN

Hillstone NGFW SG-6000-A3800-IN provides IPsec VPN throughput of 12 Gbps and two SFP+ interfaces.

How does Hillstone handle when some interface's traffic almost reaches or exceeds the maximum bandwidth of the link?

Hillstone supports shaping mode and policing mode for traffic control when traffic excessed. With shaping mode, traffic shaping retains the excessed packets in a queue and then schedules the excessed traffic by increasing the latency. While with policing mode, the system will drop the traffic that exceeds the bandwidth limit.

Resource (please create an account to log in)

Hillstone Official Website

https://www.hillstonenet.com/

Hillstone User Center

https://passport.hillstonenet.com/

Technical Documentation

https://docs.hillstonenet.com/en/Content/Home.htm

CN Version: https://docs.hillstonenet.com/

Knowledge Base

https://kb.hillstonenet.com/en/

CN Version: https://kb.hillstonenet.com/cn/

Software Download

https://images-en.hillstonenet.com/

CN Version: https://images.hillstonenet.com/

Hillstone StoneOS 5.5R10 Documentation

https://docs.hillstonenet.com/contents.html?cid=2314&selected=0&is_small=1

Hillstone A Series NGFW Highlight and resource

How to resolve the login failed after Cisco Anyconnect client update via Cisco ASA connection

In the previous post https://billyfung2010.blogspot.com/2024/03/how-to-enable-cisco-asa-anyconect.html

There are solution to upgrade the Cisco Anyconnect client, but after the upgrade. It is failed to login.

The error message is "Login Failed".

The solution is Reboot the client machine. E.g. Windows laptop

It will establish a new connect to Cisco ASA.

The reason is without reboot the machine, the new client will use the same session to reconnect to ASA. But that session is being interrupted for upgrade. So, it cannot reconnect until the session being expired after 30 mins.

Reference:

If anyconnect session is interrupted, he fails to connect due to IP conflict during 30m

https://community.cisco.com/t5/vpn/if-anyconnect-session-is-interrupted-he-fails-to-connect-due-to/td-p/3416700

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available. In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image. When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior. When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator. This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA. This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS. The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands: webvpn svc keepalive 30  svc dpd-interval client 80  svc dpd-interval gateway 80 The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here: webvpn anyconnect ssl keepalive 15 anyconnect dpd-interval client 5 anyconnect dpd-interval gateway 5

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html

How to resolve the login failed after Cisco Anyconnect client update via Cisco ASA connection

Broadcom Edge Secure Web Gateway (SWG)

Upgrade from 7.3.13.2 to 7.3.14.4 - Reduce the chance of VM crash and fix the SharePoint failed to access word, excel and ppt. (When you click the file, it become "Doc.aspx" to download it without open it)

The fixed release target to release on end of March 2024

Broadcom Edge Secure Web Gateway (SWG)

SVR cyber actors adapt tactics for initial cloud access

SVR cyber actors adapt tactics for initial cloud access

https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access

https://www.ncsc.gov.uk/files/Advisory-SVR-cyber-actors-adapt-tactics-for-initial-cloud-access.pdf

SVR cyber actors adapt tactics for initial cloud access

Symantec Endpoint Protection (SEP) being restarted automatically on Linux

If you run the following command to stop and disable the SEP:

systemctl stop sisamddaemon

systemctl disable sisamddaemon

The SEP will restart itself later.

For SEP Linux agent version 14.3 RU1 and above, you can stop the SEP Linux agent using the ./stop.sh command in /usr/lib/symantec folder.

However, as per product design, stopping SEP Linux agent is not permanent. Services will be resumed if the Linux machine is restarted.

If you ./stop.sh without reboot. The SEP Linux services will remain fully stop until it is startup using ./start.sh command or on the next system reboot.

The only way to permanently stop the SEP service is uninstall it or temporary ./stop.sh without reboot the system.

How to restart the Endpoint Protection Linux daemons

https://knowledge.broadcom.com/external/article/151271/how-to-restart-the-endpoint-protection-l.html

Symantec Endpoint Protection (SEP) being restarted automatically on Linux

How to enable Cisco ASA anyconect client upgrade when they installed early version and connect to Cisco ASA firewall?

Solution: When upgrade the Cisco ASA firewall, upload the latest version of Cisco anyconnect client to ASA (Conifg>RemoteVPN>AnyconnectClientSoftware), and make the latest anyconnect client image top of the list.

Reference:

https://community.cisco.com/t5/vpn/how-to-update-to-anyconnect-secure-mobility-client-v4-x/td-p/3736308

https://community.cisco.com/t5/vpn/cisco-anyconnect-auto-update/td-p/4284803

https://community.cisco.com/t5/vpn/anyconnect-without-admin-privileges/td-p/1105561

How to enable Cisco ASA anyconect client upgrade when they installed early version and connect to Cisco ASA firewall?