TufinOS is based on Linux. Here a flaw called SegmentSmack has been found. Due to the handling of special TCP Packets a Denial-of-Service (DoS) can be triggered remotely. To maintain a DoS condition, continouos two-way TCP sessions to a reachable port are required.

So if your device running TufinOS isn't reachable from untrusted sources or protected by a firewall, the risk of a DoS isn't too high. But an upgrade should be installed when availalble.

Tufin points out that all versions of TufinOS are affected (TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.16).
Update 30.08.2018: A patch is integrated in TufinOS 2.17 which is available now for Download.
If you are still using TufinOS 1.x please upgrade since this version isn't supported any more by Tufin.

 

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a new vulnerability has been found.

An industry-wide issue has been found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
See more details here: Speculative Store Bypass and Rogue System Register Read.

This issue will be addressed in TufinOS 2.17 and not by a patch for 2.16. The reasons are a local attack vector and a high attack complexity. The second flaw is rated with a low base score.

So in Tufin 2.17 these issues are addressed. This version is planned for August 2018.
The release of this version will be published by Tufin - and here in this Blog.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a command injection flaw has been found in the NetworkManager integration script included in the DHCP Client packages.
It allows attackers spoofing responses of a DHCP Server to execute arbitrary commands with the privileges of root on vulnerable systems using NetworkManager and configured to obtain network configuration via DHCP.
Further information can be found at Red Hat under CVE-2018-1111 as well as at Tufin.

Since TufinOS 1.x isn't supported any more, no fix will be published.
In TufinOS 2.x this issue is addressed in TufinOS 2.16. Since this is the current version from now, the upgrade should also be done if no DHCP Client packages are used.

Please be aware that when using TOS in HA configuration, starting with TufinOS 2.16 the upgrade can be done in an easier way as before.

 

 

 

As many administrators know, there is an option Suite Administration when configuring TOS using tos conf. Activating this option allows to monitor the system.

If (3) is selected and therefore the Suite Administration activated, it needs to be configured. This is done by the command

[root@TufinOS]# configure_os_monitoring

A menu opens and allows to configure the necessary options:

 

  • Recipient Settings

    Configure Recipients here who will get an E-Mail when Suite Administration is sending an alert.
    1. Show defined recipients
    2. Add recipient
    3. Delete recipient
    4. Modify recipient

 

  • SMTP Settings

    This section is to configure the Mail server for sending E-Mail to recipients in case of an alert. Besides this, authentication data for the Mail server needed to send E-Mail can be configured.
    1. Server Name
    2. Server Port
    3. User Name
    4. User Password
    5. Sender Email
    6. Mail Sending Interval

 

  • SNMP Settings

    TufinOS will send SNMP Traps when an alert condition is given. In this section the server, port etc. need to be configured if Traps are wanted. The support of addtional SNMP MIBs can be configured by adapting the file /etc/snmp/snmpd.conf and restarting the snmpd. 
    1. Manager IPv4 Address
    2. Manager Port
    3. Community Name
    4. Trap Sending Interval

 

  • Threshold Settings
       
    Configure Thresholds here. Please be aware that the default for CPU usage is 10%, i.e. if there is a little load on the machine, an alert will be sent.
    The options for JMS Tunnel and Stunnel are needed only, if the server is used in an HA deployment or the Central Server is in an environment using Distriubted Architecture (DA).
    1. CPU Usage (default: 10%!)
    2. Memory Usage (default 70%)
    3. Disk Usage (default 70%)
    4. Service Settings
      1. Application Server   
      2. Cron
      3. Database
      4. JMS Tunnel
      5. Stunnel
      6. Syslog
      7. Web Server

 

So these options might allow a tighter control and monitoring TufinOS as well as the services running on this machine.

 

 

 

 

 

Since some time many news have been published about Meltdown and Spectre. Exploiting these vulnerabilities might allow an unprivileged attacker to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. Further information about these vulnerabilities can be found e.g. here:

https://research.checkpoint.com/detection-meltdown-spectre-vulnerabilities-using-checkpoint-cpu-level-technology/
https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html
https://meltdownattack.com/

Tufin has published a Security Advisory regarding this topic.

These versions TufinOS is affected by these vulnerabilities: TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.14.
Tufin has released TufinOS 2.15 which includes the corresponding patch. It's strongly recommended to update to this version.
Information about possible performance impacts can be found here.

Since TufinOS 1.x is based on CentOS 5 it's no more supported. So no patch will be provided. Upgrading from TufinOS 1.x to TufinOS 2.15 is possible and strongly recommended.


PS: Please check Release Notes which versions of TOS are compatible with TufinOS 2.15!

 

 

 

 

 

Tufin has published TufinOS 2.14. This version updates all RPMs to the latest releases based on CentOS 6.9.

As in the Tufin Portal pointed out, these are the new features and updates:

  • Patched Anaconda rpm 13.21.263
  • Updated RAID driver for ASR 8805/7805/71605 to version 1.2.1
  • Updated Adaptec AR CCONF Command Line Utility to version 2.03.22476
  • Updated PostgreSQL to version 9.4.11
  • Updated MongoDB to version 2.4.14
  • Updated stunnel rpm to version 5.40
  • Updated nss util rpm to version 3.28.4 1.el6_9 to resolve CVE 2017-5461 vulnerability
  • Added sTunnel patch to apply new configuration
  • Added pam_passwdqc rpm

If you are using a Distributed Architecture, an upgrade of sTunnel might be necessary.Please consult the Tufin Portal for further information.