Archive for the ‘Architect’ Category

Microsoft (SFB/O365) Dropping Support for PBX Connections leaving Legacy Platforms behind

Wednesday, July 26th, 2017

Microsoft recently announced that it will no longer provide session border controller (SBC) support for PBX systems accessing Office 365.

Essentially, the news means that starting July 2018, users of Exchange Online Unified Messaging (UM) will have to use an alternative method of connecting voicemail with Outlook. Microsoft won’t support PBX connections using SBCs for that purpose.

In its announcement, Microsoft suggested that only “a small number of customers are affected by this change” and that it was making it to “provide a higher quality of service for voicemail.” Microsoft also offered four alternative options, though they likely won’t be cheap or simple for affected organizations, said Paul Cunningham, a Microsoft Most Valuable Professional, commenting in a Practical 365 blog post. The move could simplify things for Microsoft, though, he suggested.

“I see this simply as part of Microsoft’s grand strategy to jettison legacy platforms and solutions that are complex and not highly profitable, and focus on services like Cloud PBX that they can deliver more efficiently,” Cunningham added.

Microsoft is discontinuing its SBC support on the Office 365 side so that it won’t have to rely on “a third-party system” that’s difficult to manage, suggested Jeff Guillet, a Microsoft certified solutions master and Microsoft MVP. He explained the technical aspects of Microsoft’s move in this blog post, adding that giving companies just one year to move is “asking a lot,” since the switchover likely will affect large companies.

Some Help for Orgs
Meanwhile, AVST, a Microsoft Gold partner on Skype for Business and Exchange, and a voicemail pioneer, is indicating that it has the means to support organizations faced with Microsoft’s one-year deadline.

The company’s CX-E Unified Communications platform offers a quick solution that can integrate with leading PBX systems, such as systems from Avaya, Cisco, Microsoft and others. The platform permits organizations to continue to use Outlook forms to link voicemail with e-mail. Because of the potential pain involved in such moves, it’s currently offering discounts via its Value-Added Reseller partners.

How AVST can address the issue was explained by Tom Minifie, AVST’s chief technology officer, as well as Denny Michael, senior vice president of sales and marketing at AVST, in a phone interview last week.

AVST has been addressing the unified communications space for decades.

“The company goes back over 30 years and we were one of the folks that brought voicemail to the marketplace,” Michael said. “We’ve been around for a long time, and we primarily service the enterprise space. We’re very strong in healthcare, state and local government, regulated industries, higher education and other horizontal industries as well.”

Minifie explained that organizations with third-party (or non-Microsoft) PBX systems using Office 365, or thinking about moving to Office 365, will be affected by Microsoft’s change. Most options, of the four listed by Microsoft, will require moving to Skype for Business and scrapping PBX systems. It’ll be “disruptive,” he said.

“Clearly, from Microsoft’s position, they want that alternative to be ‘Get rid of your PBX and use Skype for Business,'” Minifie said. “So, for customers that have already been planning for that, that’s a good option for them. They move to Skype for Business and continue to use the Exchange [Online] UM component. But for customers that aren’t interested in doing that or aren’t ready to do that, then this is pretty disruptive because it’s not something that they’ve planned for already.”

AVST, with its CX-E Unified Communications platform, specializes in the fourth option presented by Microsoft.

“And what that is, it’s really saying is that instead of directly connecting the Exchange [Online] UM environment to the PBX, I’m going to have a different unified messaging solution that performs that same functionality, and that’s how we approach it,” Minifie said. “Because of our history, we evolved the integrations into the various phone systems, so whatever phone system or PBX the customer is using, we’ll be able to integrate into that, but then we also integrate into the Exchange environment so that we can provide unified messaging through Exchange.”

End users also get the same familiar Outlook look and feel with AVST’s platform.

“In our eyes, we’re providing the best of both worlds,” Minifie said. “We’re solving the problem, which is you can no longer connect Exchange [Online] UM into your PBX. So we take care of that PBX connection. But you get to continue to use the familiar Outlook interface that the end users are used to.”

Minifie affirmed that Microsoft was essentially eliminating the SBC on its end. The change was aimed at improving the quality of service of voicemail, according to Microsoft.

The Time Factor
AVST and its partners validate phone systems and architectures. They perform application discovery to address any functionalities that organization may want. The time it takes to deploy will depend on the solution chosen.

“As far as the amount of time, that kind of depends on the solution,” Minifie said. “Ours is quick because you really aren’t changing anything. Your phone system doesn’t change. Your Exchange doesn’t change. We just get put in the middle of it. And so that can be deployed very quickly.”

Other approaches can get delayed.

“With the other solutions, you’re getting into having to order telecom things,” Minifie said. “You need SIP trunking and have to order from the carrier, and there are whatever delays for that to get delivered.”

AVST’s solution can be installed on premises or it’s provided as a hosted software-as-a-service solution via subscription. More information about AVST’s replacement offerings for Exchange Online UM can be found at this page.

By Kurt Mackie

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Source: Microsoft Dropping Support for PBX Connections Using SBCs — Redmond Channel Partner

Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Wednesday, July 19th, 2017
Cisco-WebEx-Remote-Command-Execution

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world.  The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.  Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows,” Cisco confirmed in an advisory released today.

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

 Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability.  Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

 

Source: Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Understanding Open Source Agility – Watching revenue upside in SD-WAN, UCaaS services.

Thursday, July 13th, 2017
“A penny saved is a penny earned” –Wise Anonymous person’s words that I heard from my mother growing up.
R O I should be an initial checkpoint and a major focus of any technological investment.  What is the solution solving?  I can’t stop adding items to the list.  I found the article below rather interesting – The service and cloud scene is poppin right now.
–Aaron
business meeting

Mellanox Adds Cumulus Linux Support for Ethernet Switches

Tuesday, March 8th, 2016

SUNNYVALE, Calif. & YOKNEAM, Israel–(BUSINESS WIRE)–Mellanox® Technologies, Ltd. (NASDAQ:MLNX), a leading supplier of high-performance, end-to-end interconnect solutions for data center servers and storage systems, today announced it has added Cumulus® Linux® support for the Spectrum line of 10/25, 40/50, and 100 Gb/s Ethernet switches.

The addition of Cumulus Linux provides customers a best in class Network Operating System (NOS) with the highest performance and most predictable Ethernet switch platform. The availability of third party NOS solutions is the cornerstone of the Open Ethernet initiative and provides customers with freedom of choice. “Mellanox is uniquely positioned to capitalize on a big opportunity as the industry continues to move towards open solutions” Tweet this“The addition of Cumulus Linux means we now give our customers the option to choose the leading Linux NOS on the market,” said Amit Katz, vice president Ethernet switch sales, Mellanox Technologies. “We are confident our Ethernet switch platforms will continue to deliver unmatched predictability, packet performance and the ability to achieve Web-Scale IT efficiencies.”In order to achieve more agile innovation and to avoid vendor lock-in, many of the largest and most advanced web scale businesses have rejected closed, proprietary, black box switches.

Taking a page from these hyperscale data centers, more modestly sized businesses are emulating these architectures and adopting open, disaggregated switches – which separate the choice of hardware and software components. These open networking platforms enable customers to choose best of breed components in order to optimize and automate their data centers to meet their business needs. The fully integrated and tested combination of Spectrum switches and Cumulus Linux is the ideal way to achieve this agility, with an open networking platform that frees enterprises to extend and improve the pace of innovation, efficiency, and automation of their data center infrastructure.Mellanox is helping to accelerate the adoption of open networking and the transformation of businesses to achieve web-scale IT efficiencies.

The partnership between Mellanox and Cumulus Networks is a realization of the Open-Ethernet initiative and furthers both companies’ long-standing commitment to open networking, as demonstrated by their contributions to the Open Compute Project (OCP), Switch Abstraction Interface (SAI), Linux Switchdev, and Open Network Install Environment (ONIE). In addition, Mellanox has made multiple contributions of 10/25, 40/50, & 100 Gb/s Ethernet switch and OCP adapters designs.“Mellanox is uniquely positioned to capitalize on a big opportunity as the industry continues to move towards open solutions,” said JR Rivers, CEO and co-founder, Cumulus Networks. “With Mellanox’s performance-focused value proposition, Open Ethernet initiative, and large base of clients, Cumulus can expand into new markets and help accelerate customers’ move to Web IT. Open is becoming the industry standard at every level in modern infrastructure builds. As ecosystems open up, customers win; all due to selecting the best technology under the best terms.”“At Cloudalize, we offer the GPU Desktop as a Service (GDaaS) Platform to a wide range of partners for the cloud solutions they deliver to their customers, so we demand performance, predictability, and industrial-grade control of our networking equipment,” said Benny Willen, CEO Cloudalize. “Cloudalize’s requirements for high performance networking, that could be provisioned as easily as servers, led us to look at an Open solution in the form of Cumulus Linux running on top of Mellanox’s Ethernet Switches.

With Cumulus Linux, we could leverage many of our server tools to automate our network orchestration and monitoring activities. With Mellanox Ethernet Switches, we get the predictable performance we need, without worrying about packet loss.”Come see how to transform your data center and achieve web-scale IT efficiency with the Cumulus Linux running on the Spectrum switch at the Mellanox booth #B4 at the OCP Summit taking place March 9-10 at the San Jose Convention Center.

Source: Mellanox Adds Cumulus Linux Support for Ethernet Switches | Business Wire

Ting sets Sandpoint, Idaho as its next 1 Gbps broadband target

Tuesday, March 8th, 2016

If Ting sees enough interest in service after completing its “demand assessment” phase, Ting says that network construction will begin later this year.

Google Fiber (NASDAQ: GOOG) and other large telcos like AT&T (NYSE: T) have gained national attention for their 1 Gbps FTTH builds in major cities like Atlanta and Austin, Texas. But Ting said its goal is to bring similar capabilities to areas like Sandpoint where the population is less than 10,000 people.

“While it’s obviously very important to get major metros connected with fast fiber Internet, Ting Internet is proving that the fastest Internet access available isn’t just for city centers,” said Elliot Noss, CEO of Ting and its parent company Tucows. “Smaller cities and towns need faster, more reliable Internet too. Maybe even more so.”

Sandpoint will be the fourth area where Ting offers its FTTH service.

In early 2015, Ting launched FTTH service Charlottesville, Va. followed by Westminster, Md., later that year. In early 2016, Ting Internet began demand generation and assessment in Holly Springs, N.C.

Although network installation costs vary by location, Ting said they are not more than $200 for a home or $400 for an individual business. The Ting Internet Box, which doubles as a high speed wireless router, costs $199 up front or a user can pay $9 a month for the device.

Eligible residential customers can get a 1 Gbps connection for $89, while business services are available for $139 a month. The service provider is also offer a symmetrical 5 Mbps service for $19 a month.

Ting is taking its 1 Gbps FTTH show to the Sandpoint, Idaho area with plans to offer the service to residents in the communities of Sandpoint, Dover, Ponderay and Kootenai.Similar to the way it launched services in Holly Springs, N.C. and in Virginia, interested residents and businesses that reside in these towns can pre-order service by going to the ting.com/sandpoint site.The service provider said that pre-orders will impact not just when Ting starts bringing service to a town, but also where it will begin its network buildout.

 

Source: Ting sets Sandpoint, Idaho as its next 1 Gbps broadband target – FierceTelecom

4chan founder Chris Poole will try to fix social at Google | TechCrunch

Tuesday, March 8th, 2016

Google never “got” social. For all the resources thrown at it, Google+ just never quite felt human. But luckily Google just hired the guy behind 4chan — a site that epitomized the good, the bad and the ugly of humanity on the Internet.Chris Poole (screen name: MOOT) started 4chan in his bedroom at age 15.

In the 12 years since, he built it into a 20 million active user image-sharing community around topics ranging from cosplay and cute animals to anime porn and the notoriously uncensored anonymous channel /b/.4Chan is weird4chan is weirdBut after his other startups ran out of money, Poole stepped away from operating 4chan last year and later sold it. That made him one of the smartest free agents in social tech.While Google probably won’t force him into a suit and tie, Poole now has a much more corporate job: He’ll be working under Google’s Bradley Horowitz, VP of streams, photos and sharing.

According to a source, Poole moved across the country for the job and has been there a week already.Poole was apparently attracted by the inherently nerdy culture Google fosters. He writes:“When meeting with current and former Googlers, I continually find myself drawn to their intelligence, passion, and enthusiasm — as well as a universal desire to share it with others. I’m also impressed by Google’s commitment to enabling these same talented people to tackle some of the world’s most interesting and important problems.”What Is 4chanPoole didn’t respond to multiple attempts to contact him regarding clues to exactly what he’ll be working on. There is a lot to do, though.chris-pooleChris PooleGoogle Photos, with its free storage and powerful search, is the first thing the search giant has done right in social for years. Poole could teach Google how to build a community around the product, not just a user base.

The company’s been experimenting with social apps for college kids, like one for hanging out in person called “Who’s Down.” And Poole knows tons about anonymity, a space that’s been in recession since Secret died.There are plenty of people who can build a social product. But after many interviews with Poole, I can confidently say he truly gets the sociology behind why people use them. It’s that understanding of emotion, not just algorithms, that Google needs.

Source: 4chan founder Chris Poole will try to fix social at Google | TechCrunch

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/

Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

Tuesday, August 4th, 2015

Summary: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. Cisco has released software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150730-asr1k

Vulnerable Products: All Cisco ASR 1000 Series Aggregation Services Routers models are affected by this vulnerability when running an affected version of Cisco IOS XE Software. This vulnerability does not depend on any specific combination of ESP and Route Processor (RP) installed on the chassis. Any combination of ESP and RP is affected. Products Confirmed Not Vulnerable

Details: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. This vulnerability can be triggered by IPv4 or IPv6 crafted, fragmented packets destined to the device itself. It cannot be triggered by transit traffic. This vulnerability could be repeatedly exploited to cause an extended DoS condition. This vulnerability is documented in Cisco bug ID CSCtd72617 (registered customers only), and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-4291.

Vulnerability Scoring Details Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd72617

– Cisco IOS XE Software Fragmented Packet Denial of Service Vulnerability Calculate the environmental score of CSCtd72617 CVSS Base Score – 7.8 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None None None Complete CVSS Temporal Score – 6.4 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed

Impact

Successful exploitation of this vulnerability may cause a crash of the ESP processing the packet, resulting in a DoS condition. Repeated exploitation could result in an extended DoS condition.

Software Versions and Fixes When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. This vulnerability has been fixed in the following Cisco IOS XE Software versions:

Cisco IOS XE Software Train First Fixed Release 2.1 Vulnerable;

migrate to 2.5.1 or later.

(1) 2.2 Vulnerable; migrate to 2.5.1 or later.

(1) 2.3 Vulnerable; migrate to 2.5.1 or later.

(1) 2.4 2.4.3 (1) 2.5 2.5.1 (1)

Source: Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

Tuesday, August 4th, 2015

A recently disclosed vulnerability in Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers, makes it possible for lone-wolf attackers to bring down huge swaths of the Internet, a security researcher has warned.The flaw, which involves the way that Bind handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that’s trivial to create. Vulnerable servers, in turn, will promptly crash. There are no indications that the vulnerability is being actively exploited in the wild, and the bug wasn’t disclosed until a fix was in place. Still, the critical vulnerability underscores the fragility of Bind, which despite its three decades in use and unwieldy code remains the staple for the Internet’s domain name system.Rob Graham, CEO of penetration testing firm Errata Security, reviewed some of the Bind source code and the advisory that Bind developers issued earlier this week and made this sobering assessment:BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.Normally, denial-of-service bugs receive low-severity ratings, but when they’re present in servers that form the Internet’s very core, the risks are much higher. Graham regularly scans almost the entire Internet to get an estimate of how many servers remain affected by the Heartbleed vulnerability in OpenSSL and other major software weaknesses. He said Bind’s code base still isn’t as bloated as that of OpenSSL, but it’s much slower than it should be despite being written using C and C++. The result: Bind has all the security weaknesses that come with those programming languages without the speed that often justifies their use anyway.Graham concluded:The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.

Source: Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

600TB MongoDB Database ‘accidentally’ exposed on the Internet

Monday, July 27th, 2015

This huge MongoDB database isn’t exposed due to a flaw in its latest version of the software, but due to the use of out-of-date and unpatched versions of the platform that fail to bind to localhost.

While investigating NoSQL databases, Matherly focused on MongoDB that is growing in popularity.

“It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” Matherly wrote in a blog post.

The security issue was first reported as a critical vulnerability back in February of 2012 by Roman Shtylman, but it took MongoDB developers a bit more than two years to rectify this security flaw.

Affected, outdated versions of MongoDB database do not have a ‘bind_ip 127.0.0.1′ option set in the mongodb.conf, potentially leaving users’ server vulnerable if they are not aware of this setting.

According to Shtylman, “The default should be to lockdown as much as possible and only expose if the user requests it.”

Affected Versions

Earlier instances of version 2.6 appeared to have been affected, significantly putting users of MongoDB database version 2.4.9 and 2.4.10, followed by 2.6.7, at risk.

Majority of publicly exposed MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services more buggy than datacenter hosting.

“My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software,” Matherly said.

Affected users are recommended to immediately switch to the latest versions as soon as possible.

This isn’t first time when MongoDB instances are exposed to the Internet, back in February German researchers found nearly 40,000 MongoDB instances openly available on the Internet.

via 600TB MongoDB Database ‘accidentally’ exposed on the Internet.