6 C
Wednesday, November 22, 2017
Home Tags TCPDump

Tag: TCPDump

Attention: RHN Hosted will reach the end of its service life on July 31, 2017.Customers will be required to migrate existing systems to Red Hat Subscription Management prior to this date.Learn more here Details Updated openvswitch packages that bring in numerous enhancements and bug fixesare now available for Red Hat Enterprise Linux 7 Fast Datapath. This updates openvswitch to current LTS version 2.5.0 which includes variousimportant new features such as connection tracking and numerous bugfixes.

Alsoincluded is support for DPDK ports. Solution Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Updated packages Red Hat Virtualization ( v.4 for RHEL 7) SRPMS: openvswitch-2.5.0-14.git20160727.el7fdp.src.rpm     MD5: 5915c8e0767bf2084fc7dee65fdc240dSHA-256: d9b7da95b34adb3d066937ee8b5862d19991b49bdaefff5103404073d6d65223   x86_64: openvswitch-2.5.0-14.git20160727.el7fdp.x86_64.rpm     MD5: ec29df2258653e6512ed19d9ae2ef8eaSHA-256: 37edbc279682f5bdf2bc97c7b54e1a0345a3485ce3a10a91d8174558b20b88e8 python-openvswitch-2.5.0-14.git20160727.el7fdp.noarch.rpm     MD5: 18544da928023564801d95a587fd3b73SHA-256: 01e0a2686b41c04c9e1055cf45bea1fc22bc8586e8506feaf217ed44325b0b7c   (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 1335560 - [RFE] Add tcpdump capabilities for low traffic rate1381381 - [FD production] Update FD production channel to OVS 2.5 from FD beta with RHEL 7.3 GA These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Fortinet FortiWAN (Ascernlink) network load balancer appliance contains multiple vulnerabilities. Description According to the reporter, the Fortinet FortiWAN network load balancer appliance contains the following vulnerabilities.

As of publication, CERT/CC has not been able to verify this information with Fortinet. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-4965The diagnosis_control.php page is vulnerable to command injection via the "graph" GET parameter.

A non-administrative authenticated attacker having access privileges to the nslookup functionality can inject arbitrary operating system commands and execute them in the context of the root user.CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-4966The diagnosis_control.php page has a tcpdump function, that can capture FortiWAN data packets and download captured packets to local host for analysis and debug.

A non-administrative authenticated attacker having access privileges to change the HTTP Get param “UserName” to “Administrator” to download a PCAP file of all captured packets from the FortinWAN device since the tcpdump function was activated.CWE-200: Information Exposure - CVE-2016-4967An authenticated but low privileged user may obtain a backup of the device configuration by visiting the URL /script/cfg_show.php of the FortiWAN appliance, or a PCAP of tcpdump data by visiting /script/system/tcpdump.php.CWE-200: Information Exposure - CVE-2016-4968An authenticated but low privileged user may perform a GET request of the /linkreport/tmp/admin_global page of the FortiWAN appliance, and obtain administrator login cookie.CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-4969The /script/statistics/getconn.php file's IP parameter is vulnerable to cross-site scripting.The CVSS score below is based on CVE-2016-4965. Impact An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users. Solution Apply an updateFortinet has released FortiWAN 4.2.5 which addresses CVE-2016-4966 in the changelog.

Affected users are encouraged to update as soon as possible.
It is currently unclear if the remaining vulnerabilities in this Vulnerability Note were also addressed in this release. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Fortinet, Inc. Affected 14 Jul 2016 06 Sep 2016 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C Temporal 8.0 E:POC/RL:U/RC:UR Environmental 6.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References Credit Thanks to Virgoteam (Fan-Syun Shih, Kun-Xian Lin, Yu-Chi, and Ding) for reporting these vulnerabilities. This document was written by Garret Wassermann. Other Information Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.
Pwnable any way you like It could be the worst router in the world: a cheapie from China that IOActive reckons is completely pwnable all ways from Sunday. Bought by a travelling staffer, Tao Sauvage, the BHU Wi-Fi router looks almost indistinguishable to a surveillance box.

As Sauvage writes: “An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.” Bad? Wait, there's more: there are hidden users, default SSH with a hard-coded root password, and the box “injects a third-party JavaScript file into all users' HTTP traffic”. To get that, Sauvage extracted the firmware over the UART, and accessed the Linux shell to access the file system. That's where the fun started.

The CGI script running everything reveals the session ID of the admin cookie, for an easy admin hijack, but why bother? The router includes a hard-coded SID, 700000000000000: if an attacker presents that to the router, they get access to “all authenticated features”. Presenting that SID revealed the hidden user, dms:3. And even better, after a bit more work: “whatever SID cookie value you provide, the router will accept it as proof that you’re an authenticated user”.

Goodness. It couldn't get worse, but it does: commands like Traceroute run with root privilege, making escalation a snap, because attackers can run OS commands without authentication. “At this point, we can do anything: Eavesdrop the traffic on the router using tcpdump Modify the configuration to redirect traffic wherever we want Insert a persistent backdoor Brick the device by removing critical files on the router ". The SSH config combines with the root user password – reset to the default value at each reboot, in case a sysadmin tried to change it – to give any outsider access to the device. Not to mention the JavaScript injector, and as a final treat, a kernel module called dns-intercept.ko that Sauvage promises to give a more detailed look in the future. ® Sponsored: 2016 Cyberthreat defense report
The Linux Foundation's new online Linux security training program will cover a broad range of topics, from application security to network security.

The course is geared toward professionals who are already running Linux systems. IT security threats seem to be everywhere, but skilled IT security professionals do not seem to be nearly as pervasive.
It's a conundrum that the Linux Foundation wants to help alleviate with the introduction of a new online Linux skills training program.The online course, called Linux Security Fundamentals (LFS216), is an attempt to help individuals evaluate their own organizations' security readiness.

The course is not intended as an introduction for those who are new to Linux, but rather is targeted at those already running Linux systems."Of course, security is not an entry-level topic; it's more important for folks who've already started their career," Clyde Seepersad, general manager, training and certification at the Linux Foundation, told eWEEK. "The prerequisite for this course really is that the person is actually in a job where this matters."The LFS216 course covers threats and risk assessment, auditing and detection, application security, kernel vulnerabilities, local system security, network security, denial-of-service attacks as well as firewalling and packet filtering. This is not the first time the Linux Foundation has offered security training.

The Linux Foundation also has a course designated LFS416 that is about Linux security.
Seepersad explained that the content is essentially the same with both LFS216 and LFS416, with the difference being the course format. LFS216 is a self-paced, online course that an individual can take in their own time from anywhere.
In contrast, LFS416 is a four-day instructor-led course that an individual has to attend in person or watch via webcam at specific times. "The logistical and personnel costs of the instructor-led course [$2,500] put it at a much higher price point," compared with $199 for the online class, Seepersad said. "We have heard anecdotally from many sysadmins that they don't want to point out to their employer that they need to learn more about security, so the lower price point makes this feasible [for them to pay the $199 out of pocket] without corporate training dollars."On completion of LFS216, students receive verification that they finished the course and a certificate of completion.
Seepersad noted that while the Linux Foundation does not offer a security-specific certification, this course can help with some questions on the Linux Foundation Certified Sysadmin and Engineer exams.The Linux Foundation is using the 360Training platform to deliver the LFS216 course.

The Linux Foundation also works with other online training platforms including edX, where it has a very popular Introduction to Linux Massive Open Online Course (MOOC) that was first offered in March 2014.While understanding Linux operating system security is a broad topic, the application security piece is complex. "Application security is a huge landscape, and the applications themselves have intricate permission and user policies," Lee Elston, the course instructor for LFS216 told eWEEK. "It would be unjust to try and cover them in a single class."The LFS216 does include application security as a topic in a way that can help students get a grasp of the key issues."In LFS216, we look at the systemic changes and vulnerabilities that can affect the security of the system and the applications," Elston said.In the course, tools such as tcpdump and wireshark are used to see the packets (both clear and encrypted) coming and going to systems, he said.

As for the status of the systems and applications, tools such as OSSEC are used to audit the environment for changes.

Elston said that there is an opportunity for students to compile and test a kernel vulnerability (an old one) to see how kernel modules might be the source of an intrusion."We demonstrate many conditions the systems may face with a heavy emphasis on lab exercises for maximum exposure to the tools," Elston said. "The primary technique for this class is experience, getting your fingers into system and testing, seeing and fixing conditions that exist in the real world."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter