我的學習手記 A technical geek blog: April 2024

Friday, April 26, 2024

Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)

Upgrade your Cisco ASA to the below versions: (Depend on your Cisco ASA support which version)

9.16.4.57

9.18.4.22

9.20.2.10
Check your firewall log or SIEM to see if there are any IOC IP hit your log.

For more detail of the IOC, please check:

https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

Check your Cisco ASA compatibility:

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Reference:

https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2?s=08

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

Wednesday, April 24, 2024

H3C firewall SSL weak cipher

Nessus vulnerability scan report about H3C firewall SSL weak cipher

Go to "Objects" -> "SSL" -> "SSL Server Policies"

You will found that even you select "TLS 1.2" and Cipher suites "High level":

SSL_RSA_with_AES_128_CBC_SHA

SSL_RSA_with_AES_256_CBC_SHA

You still false in the security scanning report and it will show weak cipher.

Solution:

Use the following 4 Cipher:

https://www.tenable.com/plugins/nessus/156899

After change the cipher under firewall GUI, then SSH to the firewall

> system-view

] undo ip https enable

] ip https enable

] save force

] exit

Saturday, April 20, 2024

H3C Firewall Change admin portal certificate

1. Go to H3C Firewall -> SSL -> SSL Server Policies to create a new Policy e.g. "abc_2024-2026"

2. Create a PKI Domain for new cert installation

3. Go to PKI -> Certificate -> Import 2 CA cert and 1 local cert

CA to provide TWO CA cert (.cer) (When install second CA, just ignore the cert will be replace warning) and One local cert (.pfx) (RSA 2048) (This local cert need to includ private key and also ignore the cert will be replace warning)

4. SSH to the firewall

> show current-configuration (Enable logging on putty before run this command)

> system-view ] undo ip https enable

] ip https ssl-server-policy <New Policy Name which is you create at step1>

] ip https enable

] save force

] exit

Wednesday, April 17, 2024

Install certificates on Symantec Messaging Gateway (SMG)

Error: No stored certificate request matches this certificate.

Manage certificates for your system. The TLS certificate is used by MTAs in each Scanner appliance; the Control Center uses the HTTPS certificate for secure Web management; Domain keys are used for DomainKeys Identified Mail (DKIM) signing of outbound mail.

  Solution: SMG will not install a certificate without either:

the private key included in the PEM file
a CSR that already exists in the SMG

  Reference:   https://knowledge.broadcom.com/external/article?legacyId=TECH154806

  https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=4093&MessageKey=e3c1d68d-6d91-4677-a3ee-f2f4c27a1e5b&CommunityKey=bba1e9dc-0c56-4fb5-9e3d-ef7f0d79b7ee

Tuesday, April 16, 2024

Free TI feed - rules.emergingthreats.net

The bad IP from emergingthreats:

https://rules.emergingthreats.net/blockrules/compromised-ips.txt

Oracle JRE and JDK replacement

Azul Zulu OpenJDK 11 is a good choice.
If your computer does not have any existing Java SE installed, it is suggested that you can download and install Azul Zulu OpenJDK 11 from the Zulu Community 
Java 8, 11, 17, 21, 22 Download for Linux, Windows and macOS (azul.com)

The 2 amber lights followed by 4 white lights on a DELL Latitude Laptop

1. Reseat the Original Memory: If applicable to your model, reseat the original memory module in the system. Sometimes, reseating the RAM can resolve the issue.

2. Check for Damaged RAM: If reseating the RAM doesn't work, consider checking for any visible damage to the RAM sticks. If they appear damaged, you may need to replace them.

3. Firmware Updates: Ensure that your system's firmware (BIOS) is up to date. Sometimes, updating the firmware can resolve hardware-related issues.

https://www.dell.com/community/en/conversations/latitude/latitude-7480-2-amber-lights-4-white-lights/647f7c0bf4ccf8a8dea5acf2

Wednesday, April 10, 2024

Fortinet SSL VPN - SSL Certificate expired and you need to bypass tempoarilty

Configure SSL VPN to Not Require Certificates

Go to VPN > SSL > Settings > and un-check Require Client Certificate.

Thursday, April 4, 2024

Broadcom SMG - Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Support Content Notification - Support Portal - Broadcom support portal

Due to there are bug - https://knowledge.broadcom.com/external/article/280948/edge-swg-proxysg-appliance-stalls-or-onl.html Upgrade to a version of SGOS that has a fix for this issue. The first releases to have the fix is 7.3.14.5 and 7.3.19.1 and later.

Tuesday, April 2, 2024

Use Symantec Endpoint Protection to run the YARA rules to scan Linux servers for CVE-2024-3094

Use SEP to run the YARA rules to scan Linux servers for CVE-2024-3094

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/scanning-the-SEP-client-computer-using-custom-YARA-rules.html

Yara rule for CVE-2024-3094

https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar