robopet3 | Entries tagged with security

Если кто-то забыл, то:
SMB1 - отключен давно
SMB2 -
This article describes information about Windows disabling guest access in SMB2 by default, and provides settings to enable insecure guest logons in Group Policy. However, this is generally not recommended.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

TLS1.0 and TLS 1.1 S
Since November 1st Microsoft has changed the TLS to 1.2 for all environments. Exchange 2019 has even no opportunity to change back to the old standard. That means Exchange 2019 supports TLS 1.2 only.
https://www.msb365.blog/?p=2599#:~:text=TLS%20support,2019%20supports%20TLS%201.2%20only.
https://tkolber.medium.com/exchange-2019-free-busy-issue-with-exchange-2013-2016-ca902ca543a8

Final Notice for disabling of TLS1.0 and TLS 1.1 Support for Exchange Online Mail Flow
MC229914 · Published Dec 14, 2020 Message Summary
https://fromreallife.wordpress.com/2021/01/12/про-коварный-microsoft/

LDAP Channel Binding and LDAP Signing Requirements 2020
https://fromreallife.wordpress.com/2019/12/27/ldap-channel-binding-and-ldap-signing-requirements-2020/

Using OCSP, LDAP & HTTP for Certificate Checking
https://www.isode.com/whitepapers/ocsp-ldap-http-certificate-checking.html

vCenter Server 7.0 fails to start after replacing VMCA certificates with CA-signed certificates.
When attempting to replace the Machine SSL certificate for vCenter with a custom CA-signed certificate, vCenter Server service fails to start.
In /var/log/vmware/rhttpproxy/rhttpproxy.log, you see a log message similar to:
2020-09-25T21:15:28.865Z warning rhttpproxy[07720] [Originator@6876 sub=RhttpProxy] [Rhttpproxy clusters REST PUT Handler] Saving proxy configuration failed! Error code = 13, Message = Error adding/updating listener edge_https_v6: Failed to load certificate chain from
Loading the certificate with OpenSSL returns the following error:
Command: openssl x509 -text -noout -in .crt
Output: unable to load certificate

https://kb.vmware.com/s/article/82168

Защита привилегированных аккаунтов домена:
Вот цикл статей неплохой, о том, что нужно защищать. Понятно, что сейчас virtual base security и пр, нового много. Но для понимания полезно, чтобы debug привилегиями не ограничиваться: https://www.securitylab.ru/analytics/431689.php
https://www.securitylab.ru/analytics/437458.php
https://www.securitylab.ru/analytics/437459.php
https://www.securitylab.ru/analytics/437270.php

рекомендовали: Devsec:
Zero Trust Networks: Building Secure Systems in Untrusted Networks
Book by Doug Barth and Evan Gilman
https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/

В целом же для тех, кто начинает только знакомиться с безопасностью в ИТ и разработке, стоит начать с беглого знакомства с:
ISO/IEC 27001 — Information security management
https://www.iso.org/isoiec-27001-information-security.html

Разработка безопасного программного обеспечения по ГОСТ Р 56939-2016
https://www.securitylab.ru/blog/personal/crypto-anarchist/312897.php

Защита информации
РАЗРАБОТКА БЕЗОПАСНОГО ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ
Руководство по реализации мер по разработке безопасного программного обеспечения
https://fstec.ru/component/attachments/download/2638
с редиректом на https://fstec.ru/component/attachments/download/2638

и
ГОСТ Р 57580.1-2017 «Безопасность финансовых (банковских) операций. Защита информации финансовых организаций.
ГОСТ Р 57580.2-2018 Безопасность финансовых (банковских) операций. Защита информации финансовых организаций. Методика оценки соответствия

Summary:
Potential security vulnerabilities in Intel® Converged Security and Manageability Engine (CSME), Intel® Server Platform Services (SPS), Intel® Trusted Execution Engine (TXE), Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) and Intel® Dynamic Application Loader (DAL) may allow escalation of privilege, denial of service or information disclosure. Intel is releasing firmware and software updates to mitigate these potential vulnerabilities.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html

Группа исследователей из Амстердамского свободного университета выявила новую уязвимость (CVE-2020-0543) в микроархитектурных структурах процессоров Intel, примечательную тем, что она позволяет восстановить результаты выполнения некоторых инструкций, выполняемых на другом ядре CPU. Это первая уязвимость механизма спекулятивного выполнения инструкций, допускающая утечку данных между отдельными ядрами CPU (ранее утечки ограничивались разными потоками одного ядра). Исследователи присвоили проблеме имя CROSSTalk, но в документах Intel уязвимость упоминается как SRBDS (Special Register Buffer Data Sampling).

https://www.opennet.ru/opennews/art.shtml?num=53126

Feature description
A standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators. This type of managed service account (MSA) was introduced in Windows Server 2008 R2 and Windows 7.

The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balanced solution, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

Niall Sheridan, Intercom

Everyone uses SSH to manage their production infrastructure, but it's really difficult to do a good job of managing SSH keys. Many organisations don't know how many SSH keys have access to production systems or how protected those keys are. A trusted SSH private key can be years old, unprotected by passphrase, and shared among multiple people who may not even work for you.

With some tooling and configuration SSH keys can be replaced with limited-use ephemeral certificates, issued centrally and with better access controls and automatic key expiration, solving many of the shortcomings of using SSH keys.

This talk will cover:

Managing SSH keys: The bad parts
Replacing SSH keys with ephemeral certificates: how & why
Discussion of an implementation of a CA for SSH certificates
Call for participation, showing github source
https://www.youtube.com/watch?v=NCEQj27A3XA
View the full LISA17 program: https://www.usenix.org/lisa17/program

Уязвимость CVE-2020-1048 , названная исследователями PrintDemon, присутствует в отвечающем за печать компоненте Windows Print Spooler. Диспетчер отправляет данные для печати на USB/параллельный порт физического принтера, TCP-порт принтера в локальной сети или в интернете или локальному файлу (в случае, если пользователь хочет отложить печать).

Патч для проблемы был выпущен в рамках «вторника исправлений» Microsoft 13 мая 2020 года.
https://www.securitylab.ru/news/508332.php

WHAT’S A 10? PWNING VCENTER WITH
CVE-2020-3952

Written by JJ Lehmann and Ofri Ziv on April 15, 2020
https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/

CVE-2020-0796: New vulnerability in SMB protocol
Microsoft has released a patch for newly discovered critical vulnerability CVE-2020-0796 in the network protocol SMB 3.1.1.
https://www.kaspersky.com/blog/smb-311-vulnerability/33991/

Microsoft SMBv3.11 Vulnerability and Patch CVE-2020–0796 Explained
Update 03/12/2020:
Microsoft releases out of band patch: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Summary
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday.

Надеюсь, никому не надо напоминать о EternalBlue и WannaCry

Для AMD нашёлся свой Spectre: обнаружены критические уязвимости в процессорах Zen/Zen 2
https://3dnews.ru/1005432

CVE-2020-0549 - 28.01.2020
https://3dnews.ru/1002402

CVE-2019-0090 - 06.03.2020
https://itc.ua/news/vo-vseh-proczessorah-i-chipsetah-intel-za-poslednie-pyat-let-prisutstvuet-neustranimaya-uyazvimost/

Приглашаем вас на конференцию компании «Информзащита», где мы расскажем об управлении информационной безопасностью в публичных облаках и нашем подходе к организации SOC:

http://bit.ly/2VDaaey

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking.
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020
This update rollup is a security update that resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):

CVE-2020-0692 | Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability

This most recent Patch Tuesday, Microsoft released an Important-rated patch to address a remote code execution bug in Microsoft Exchange Server. This vulnerability was reported to us by an anonymous researcher and affects all supported versions of Microsoft Exchange Server up until the recent patch. Here’s a quick video of the bug in action:
https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Преступники сканируют Сеть на предмет уязвимых серверов Microsoft Exchange
https://www.securitylab.ru/news/505433.php

A customer requires that their data is fully protected from theft, both at the volume layer and at the disk layer. Which two features of ONTAP satisfy this requirement? (Choose two.)
-
A volume encrypted with an aggregate-level key is called an NAE volume (for NetApp Aggregate Encryption)
NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time.