SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

File system inconsistency - cannot run fsck

  • The console hangs at Press F2 with white Screen you can't logon or ping the machine
  • You can't connect with SSH
  • You can't acces the machine on port 4444
  • You DID not move the machine (COPY) NORE did you change something with NIC or MAC
  • You prob. had a crash on the ESXi, the storage or Disk system itself
  • You assume that Linux file system are robust and think they can't crash (Look like not…)

If you try the Rescue boot Option you should LOGON ONLY with root. However you are Windows User and always logon with admin and password through web console on port 4444. I am absolute sure there is Documentation on this and if you have Setup and read the Manual like Sophos wants you > Then you have that password.

Here is how to repair the File System with absolute almost no TUX knowledge and without having the root password! (Kind of strange but well you need physical access or console Access) so…

Error

Reboot the UTM machine in ESXi-console

Press ESC

Type "e" on keyboard once (Nothing else)

Choose the options which looks like this (similar)

If you are in the ESXi-CONSOLE end following to the command which is displayed now (At the end of existing command). Just behind the *******silent

init=/bin/bash

If you search CHARS on non us-keyboard:

On GERMAN OR SWISS GERMAN the = is right under the F10 keyboard on NON US-keyboard layouts! The "/" on the 10 numeric block.

PRESS "ENTER"

PRESS "b" to load the modified boot Setting

When the System stops it will stay at CLI now

Run cli command

"Fsck /dev/sda6"

or whever you corrupt file system is (It will show you in the errors as sample below)

On every question he will ask answer "y"

Comment Windows Senior System Engineer > Nobody understands what it says. Not even the guy who coded it we guess….

Reboot the System with CTRL-ALT-DEL from ESXi (Send command)

Here is how to reset Sophos passwords. We ONLY used step 1-10 for the repair of File System.

https://community.sophos.com/kb/en-us/115346#How%20to%20reset%20all%20passwords

 

 

 

 

KB4103727 RDP client/Server not patched workaround

CredSSP updates for CVE-2018-0886

 

If you currently can't logon to RDP and you have no timeline to patch both sides there is a workaround.

Notice that this does reopen the exploit in RDP. There is also a GPO which you can use to set central.

The workaround is a better solution that letting people update direct from Microsoft and bypassing internal

Patch structure like WSUS-Server. At the end customers get patches which they SHOULD not because some third party software in incompatible.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2

 

https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/

https://support.microsoft.com/en-my/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Here is the FLOW this was integrated by Microsoft over months. Now if you or your server team did not install

Three months you end up in trouble currently and need the workaround we did mention above.

 

Updates

March 13, 2018

The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to "Force updated clients" or "Mitigated" on client and server computers as soon as possible. These changes will require a reboot of the affected systems.

Pay close attention to Group Policy or registry settings pairs that result in "Blocked" interactions between clients and servers in the compatibility table later in this article.

April 17, 2018

The Remote Desktop Client (RDP) update update in KB 4093120 will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.

May 8, 2018

An update to change the default setting from Vulnerable to Mitigated.

Related Microsoft Knowledge Base numbers are listed in CVE-2018-0886.

By default, after this update is installed, patched clients cannot communicate with unpatched servers.

Windows 10 1709 > 1803: Bitlocker Migration solved direct in setup.exe

Good news concerning Migration from W10 1709 to 1803. The quiz question with Bitlocker enabled client Migration has now been solved.

You can direct in setup.exe of the W10 1803 handle options. You can even try to migrate with Bitlocker enabled IF it fails it will redo with Bitlocker halted (suspended or paused) or turned off.

 

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1803

https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303

https://blogs.technet.microsoft.com/mniehaus/2018/05/02/new-upgrade-to-windows-10-1803-without-suspending-bitlocker/

 

DISM /Online /Initiate-OSUninstall

    – Initiates a OS uninstall to take the computer back to the previous installation of windows.

DISM /Online /Remove-OSUninstall

    – Removes the OS uninstall capability from the computer.

DISM /Online /Get-OSUninstallWindow

    – Displays the number of days after upgrade during which uninstall can be performed.

DISM /Online /Set-OSUninstallWindow

    – Sets the number of days after upgrade during which uninstall can be performed.

 

Setup.exe /BitLocker AlwaysSuspend

    – Always suspend bitlocker during upgrade.

Setup.exe /BitLocker TryKeepActive

    – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.

Setup.exe /BitLocker ForceKeepActive

    – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.

W10 1803, WIN0 1803 Enterprise customers

EFAIL and Microsoft GPO Policy Chaos

 

Problem:

There is a man-in-the-middle leak where you can capture an E-Mail (Only if you have access to the flow) attach a content

And if the CLIENT does autoload (When you open the E-Mail) external pictures get content. Now this would not be too complicated if there where

No newsletters where people store large pictures external on webserver and the users want that active the moment the get the E-Mail.

Remember your Outlook.exe at home blocks the pictures and you have to manual download them with right click.

https://de.wikipedia.org/wiki/Efail

https://www.scmagazine.com/critical-pgpgpg-smime-email-encryption-vulnerabilities-revealed/article/765806/

 

From 2012 ;-)

https://www.slipstick.com/outlook/microsoft-service-agreement-virus-and-why-you-should-block-external-content/

The user wants's it > IT does it. That's why it's called IT

https://social.technet.microsoft.com/Forums/en-US/a0b6afd0-8de3-4091-b4b9-2071daabe441/outlook-2016-not-displaying-all-images?forum=Office2016ITPro

 

 

Solution: check your GPO Policy and turn/change things. Remember by DEFAULT external content is NOT loaded.

New problem ;-)

 

Sometimes when it comes to GPO's you have to do a post doc in IT to understand this.

Is it now?

"Display pictures and external content in HTML e-mail"

Or should it be?

"Do not Display pictures and external content in HTML e-mail"

If you read the Description it says you have to enable > Then Outlook will NOT automatically download.

That is kind of confusing? Well no the people who write such things are developers and normally they are not normal.

 

Certificates, PKI, Certificate Transparency tools to check

   

With the Website crt.sh you can search what Google and other API providers know about a DOMAIN related to issue Certificates.

You can Wildcard search for a Domain you want to get a quick overview of the Certificates they used. (If the customer or internal IT does not know even know they have Certs as example).

Query: https://crt.sh/?q=%25.computerladen.ch

Related site which explains it:

https://www.certificate-transparency.org/what-is-ct (text below from that website)

What is Certificate Transparency?

Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:

  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.

Certificate Transparency satisfies these goals by creating an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates. This open framework consists of three main components, which are described below. Sample which shows usage of crt.sh