CVE-2020-5902: Helping to protect against the F5 TMUI RCE vulnerability

Cloudflare has deployed a new managed rule protecting customers against a remote code execution vulnerability that has been found in F5 BIG-IP’s web-based Traffic Management User Interface (TMUI). Any customer who has access to the Cloudflare Web Application Firewall (WAF) is automatically protected by the new rule (100315) that has a default action of BLOCK.

Initial testing on our network has shown that attackers started probing and trying to exploit this vulnerability starting on July 3.

F5 has published detailed instructions on how to patch affected devices, how to detect if attempts have been made to exploit the vulnerability on a device and instructions on how to add a custom mitigation. If you have an F5 device, read their detailed mitigations before reading the rest of this blog post.

The most popular probe URL appears to be /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp followed by /tmui/login.jsp/..;/tmui/util/getTabSet.jsp, /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp and /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp. All contain the critical pattern ..; which is at the heart of the vulnerability.

On July 3 we saw O(1k) probes ramping to O(1m) yesterday. This is because simple test patterns have been added to scanning tools and small test programs made available by Continue reading

NSX Secures Physical Servers with Bare Metal Agents

Our last blog on how NSX secures physical servers provided background on why physical server security is crucial. We cover the percentage share of physical servers to all workloads in the data center and the specific roles physical servers still play. Today, physical servers by percentage are playing a decreasing role in the data center. However, it’s still a vital one, as we pointed out in our last blog on Securing Physical Servers with NSX Service-defined Firewall. In this blog, we will cover a primary way VMware NSX provides secure connectivity for physical servers using a bare metal agent. VMware NSX-T can now offer secure connectivity for Linux and Windows Server physical servers.

How NSX Distributed Firewall Protects Physical Servers

There are several ways in which NSX can provide security for physical servers. Our original article, Extending the Power of NSX to Bare Metal, outlines each of these methods.

• NSX Distributed Firewall (DFW) ingress rules for traffic from physical servers to virtual workloads
• NSX DFW egress rules for traffic from virtual workloads to physical servers
• The NSX Edge using centralized firewall rules to secure traffic between virtual and physical workloads
• Use NSX agents in Physical Servers

VMware NSX Continue reading

The Hedge Podcast Episode 42: Andrei Robachevsky and MANRS

The security of the global routing table is foundational to the security of the overall Internet as an ecosystem—if routing cannot be trusted, then everything that relies on routing is suspect, as well. Mutually Agreed Norms for Routing Security (MANRS) is a project of the Internet Society designed to draw network operators of all kinds into thinking about, and doing something about, the security of the global routing table by using common-sense filtering and observation. Andrei Robachevsky joins Russ White and Tom Ammon to talk about MANRS.

More information about MANRS can be found on the project web site, including how to join and how to support global routing security.

download

How to test HTTP/3 and QUIC with Firefox Nightly

HTTP/3 is the third major version of the Hypertext Transfer Protocol, which takes the bold step of moving away from TCP to the new transport protocol QUIC in order to provide performance and security improvements.

During Cloudflare's Birthday Week 2019, we were delighted to announce that we had enabled QUIC and HTTP/3 support on the Cloudflare edge network. This was joined by support from Google Chrome and Mozilla Firefox, two of the leading browser vendors and partners in our effort to make the web faster and more reliable for all. A big part of developing new standards is interoperability, which typically means different people analysing, implementing and testing a written specification in order to prove that it is precise, unambiguous, and actually implementable.

At the time of our announcement, Chrome Canary had experimental HTTP/3 support and we were eagerly awaiting a release of Firefox Nightly. Now that Firefox supports HTTP/3 we thought we'd share some instructions to help you enable and test it yourselves.

How do I enable HTTP/3 for my domain?

Simply go to the Cloudflare dashboard and flip the switch from the "Network" tab manually:

Using Firefox Nightly as an HTTP/3 client

Firefox Nightly has experimental support for Continue reading

Cryptojackers Target Docker Containers for Monero Mining

Palo Alto Networks and Aqua Security researchers say cryptojackers are inserting malicious images...

Read More »

Huawei Cops To Lack of US Ambition

“We don’t necessarily have any ambition in the U.S. market just because this is such a...

Read More »

VMware Tanzu Mission Control Gains Data Protection

The feature allows for central management of data protection of Kubernetes clusters running across...

Read More »

VMware NSX-T Service Insertion and Gigamon GigaVUE Cloud Suite

We are delighted that our valued partner, Gigamon, and it’s GigaVUE Cloud Suite has met the certification requirements for VMware NSX-T  service insertion. 

Service Insertion for NSX-T

The concept of service insertion is key for the NSX platform, enabling users to seamlessly add third party applications at various points throughout the network. Having a robust ecosystem of partners provides maximum flexibility for NSX-T, allowing customers to add partner functionality, tailored to their unique requirements without degrading performance elsewhere in the software-defined data center (SDDC). Partner applications are put through a rigorous certification process ensuring the highest level of interoperability and reliability.

With the certification, GigaVUE Cloud Suite is now interoperable with VMware’s NSX-T and vCenter Server through APIs for improved agility and reduced manual management tasks. Gigamon customers now have comprehensive application visibility across complex hybrid environments, including east-west traffic, at scale.

Learn more

Please join the VMware and Gigamon teams at a joint webinar, Illuminate Applications in VMware-based Clouds to Secure and Optimize, on June 30, 10 am PDT. Learn about NSX service insertion, Gigamon GigaVue, and the advantages and a demo of Gigamon next-generation network visibility solutions.

The post VMware NSX-T Service Insertion and Gigamon GigaVUE Continue reading

Research: Off-Path TCP Attacks

I’s fnny, bt yu cn prbbly rd ths evn thgh evry wrd s mssng t lst ne lttr. This is because every effective language—or rather every communication system—carried enough information to reconstruct the original meaning even when bits are dropped. Over-the-wire protocols, like TCP, are no different—the protocol must carry enough information about the conversation (flow data) and the data being carried (metadata) to understand when something is wrong and error out or ask for a retransmission. These things, however, are a form of data exhaust; much like you can infer the tone, direction, and sometimes even the content of conversation just by watching the expressions, actions, and occasional word spoken by one of the participants, you can sometimes infer a lot about a conversation between two applications by looking at the amount and timing of data crossing the wire.

The paper under review today, Off-Path TCP Exploit, uses cleverly designed streams of packets and observations about the timing of packets in a TCP stream to construct an off-path TCP injection attack on wireless networks. Understanding the attack requires understanding the interaction between the collision avoidance used in wireless systems and TCP’s reaction to packets with a sequence number outside Continue reading

Worth Reading: When Security Takes a Backseat to Productivity

Brian Krebs wrote an interesting analysis of CIA’s Wikileaks report. In a nutshell, they were a victim of “move fast to get the mission done” shadow IT.

It could have been worse. Someone with a credit card could have started deploying stuff in AWS ;))

Not that anyone would learn anything from the PR nightmare that followed.

Infinera, Windstream Claim 800G Milestone

Infinera says it has achieved 800 Gb/s line rates over a 730-kilometer from San Deigo to Pheonix on...

Read More »

Verizon Teases Forthcoming DSS Launch for Nationwide 5G

Verizon’s market position on 5G is heavily dependent on its ability to use dynamic spectrum...

Read More »

Weekly Wrap: Hackers Cryptojack Microsoft Azure ML Clusters

SDxCentral Weekly Wrap for June 19, 2020: The Azure attack targets Kubeflow; Cisco SD-WAN update...

Read More »

5G-Boost: 5G from today for over 16 million people in Germany

BERLIN — June 17, 2020 — As of today, over 16 million people in Germany can use the Telekom...

Read More »

Daily Roundup: Verizon Taps Cisco

Verizon tapped Cisco for a NFV services push; HPE's Neri contracted COVID-19; and Cisco updated its...

Read More »

AT&T Clarifies Timeline for Nationwide 5G, SDN Control

The operator’s network guru clarified that AT&T will have a nationwide 5G network running on...

Read More »

Cisco Pushes Full Stack Visibility Vision

"We have to realize that the metric by which IT will be measured is probably going to shift toward...

Read More »

Verizon Taps Cisco for NFV Services Push

The partnership enables Verizon to address Cisco-specific customer needs and provide an ecosystem...

Read More »

Broadcom Unveils Industry-Leading Planning, Development and Operational Intelligence Solutions Powered by Automation.ai

Broadcom today announced solutions to accelerate decision making across multiple business and...

Read More »

Daily Roundup: AT&T Slashes Jobs

AT&T and T-Mobile US are set to slash thousands of jobs; VMware sparked a SASE Debate; and...

Read More »