www.tufin.club
SegmentSmack vulnerability in TufinOS
- Details
- Category: TufinOS
TufinOS is based on Linux. Here a flaw called SegmentSmack has been found. Due to the handling of special TCP Packets a Denial-of-Service (DoS) can be triggered remotely. To maintain a DoS condition, continouos two-way TCP sessions to a reachable port are required.
So if your device running TufinOS isn't reachable from untrusted sources or protected by a firewall, the risk of a DoS isn't too high. But an upgrade should be installed when availalble.
Tufin points out that all versions of TufinOS are affected (TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.16).
Update 30.08.2018: A patch is integrated in TufinOS 2.17 which is available now for Download.
If you are still using TufinOS 1.x please upgrade since this version isn't supported any more by Tufin.
XXE Vulnerability in SecureTrack
- Details
- Category: SecureTrack
Tufin points out that a vulnerability has been found in Tufin SecureTrack.
It's a XXE (XML External Entity) vulnerability described in Top 10-2017 A4-XML External Entities (XXE) which alows attackers to exploit vulnerable XML processors. They can upload XML or include hostile content in a XML document.
Tufin has provided a first fix to address this issue:
For these versions fixes will be available and included, respectively:
TOS 18-1 HF 3 - scheduled to be published on September 5th, 2018
TOS 18-2 GA - Fix will be included in GA scheduled for release on August 22nd, 2018
Due to Tufin's policy regarding earlier versions no fix will be published for them. So if you use an older version, please do an upgrade to a supported version.
Access Request with NAT
- Details
- Category: SecureChange
Sometimes the question arises if Access Requests can consider NAT Rules also
Option 1:
End users opening an Access Request ticket are mostly not interested if NAT is necessary for ther request or not. In most cases they even won't know if NAT is neccessary. So in this case the question if NAT should be considered in the ticket is not that important.
Option 2:
An administrator knows that NAT is needed and tries to configure it in the ticket. This is possible:
Opening the object browser allows to provide IP addresses and NAT addresses
This results in a specific entry for Destination:
So everything seems ok, BUT this needs to be considered:
- Risk Analysis doesn't use NAT information
- Designer doesn't use NAT information
- Verifier doesn't use NAT information
Due to these facts, it's not really recommended to use NAT in Access Request tickets.
AERAsec is Tufin Service Delivery Partner
- Details
- Category: Admin Management
AERAsec is proud to announce that we are one of the worldwide first three Tufin Service Delivery Partners (SDP) and currently the only one in Central Europe
Tufin has announced that a new partner program is launched in June 2018. The Service Delivery Partner Program enables partner to be more service-ready.
AERAsec has a wide experience from many projects helping customers to get their values by the Tufin Orchetration Suite. The way of working closely together with Tufin Technologies will be continued in an even more intense way. So customers will have additional value not only from experience, but also from a more intense cooperation between AERAsec and Tufin. Customers purchasing Tufin products from AERAsec will have an additional advantage because of special conditions regarding these services.
Please This email address is being protected from spambots. You need JavaScript enabled to view it. if you want to know more about AERAsec delivering Tufin Products and Services.
Another vulnerbility in TufinOS
- Details
- Category: TufinOS
In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a new vulnerability has been found.
An industry-wide issue has been found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
See more details here: Speculative Store Bypass and Rogue System Register Read.
This issue will be addressed in TufinOS 2.17 and not by a patch for 2.16. The reasons are a local attack vector and a high attack complexity. The second flaw is rated with a low base score.
So in Tufin 2.17 these issues are addressed. This version is planned for August 2018.
The release of this version will be published by Tufin - and here in this Blog.
Vulnerability in TufinOS
- Details
- Category: TufinOS
In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a command injection flaw has been found in the NetworkManager integration script included in the DHCP Client packages.
It allows attackers spoofing responses of a DHCP Server to execute arbitrary commands with the privileges of root on vulnerable systems using NetworkManager and configured to obtain network configuration via DHCP.
Further information can be found at Red Hat under CVE-2018-1111 as well as at Tufin.
Since TufinOS 1.x isn't supported any more, no fix will be published.
In TufinOS 2.x this issue is addressed in TufinOS 2.16. Since this is the current version from now, the upgrade should also be done if no DHCP Client packages are used.
Please be aware that when using TOS in HA configuration, starting with TufinOS 2.16 the upgrade can be done in an easier way as before.
Page 14 of 22