This will be short and sweet, if you have privileges to boot your PC into safe mode you can follow the following steps to delete the affected update.
Crowd Strike Workaround Steps:
-
Boot Windows into Safe Mode or the Windows Recovery Environment
-
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
-
Locate the file matching “C-00000291*.sys”, and delete it.
-
Boot the host normally.
So Open SSL announced that they are going to release details of a Critical OpenSSL vulnerability that affects versions 3.0.0 to 3.0.6. There is rumbling that this vulnerability may be a major deal likened to the everyone's favorite CVE of 2014, heartbleed.
Open SSL will be releasing their patch/update Tuesday 1st November 2022 between 1300-1700 UTC
But unlike heartbleed this OpenSSL vulnerability might not have the same impact to security and network infrastructure that heartbleed had. So far most security and network infrastructure companies are looking ok. As you would expect many of these companies don't run the most bleeding edge versions of open source libraries for this very reason. Also many times stability and security take president over new features.
What I wanted to do is put links to OSS (Open Source Software) lists that are used in different vendors platforms. I started out hopeful but for many of the companies it is very difficult to find. I will post hem as i run across them.
Cisco - https://www.cisco.com/c/en/us/about/legal/open-source-documentation-responsive.html
Palo Alto Networks - https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings
Juniper -
Fortinet -
Aruba -
Arista -
Extreme Networks -
Checkpoint -
F5 -
Citrix ADC -
There is a new flavor of protocol reflection attacks on the streets!
The TCP Middlebox reflection attack is the first reflection attack to utilize the TCP protocol. Traditionally the TCP protocol was not susceptible to spoofed source packets because of its state based nature (three way handshake). Researchers at University of Maryland and the University of Colorado discovered that many network devices, such as load balancers, proxies, and firewalls, could be susceptible to specifically-crafted packets that could generate amplified traffic (up to 65x) at a victim. These devices could be inherently susceptible to the spoofing because many of these devices have to contend with Asynchronous network traffic and out of order packets.
Akamai did a really great write up on what they saw and how they mitigated the attack. https://www.akamai.com/blog/security/tcp-middlebox-reflection
Shadow Server also has a write up. https://www.shadowserver.org/news/over-18-8-million-ips-vulnerable-to-middlebox-tcp-reflection-ddos-attacks/
So on to your firewalls:
The out of the box Palo Alto Firewalls do not appear to have any mitigation configured by default to protect against this attack. But its not the end of the world. Palo Alto and many other security vendors have low level TCP protection that basically normalizes TCP traffic and cuts out the flood attacks, malformed protocol attacks, etc., before they are even processed by your firewall. This minimizes impact on the device resources like CPU and memory for these types of attacks.
In the Palo Alto world this is called "Zone Protection Profiles". If you run BPA (Best Practice Assessment) - which you should - then the Zone Protection Profiles are often flagged if you don't have them configured.
The zone protection profile is pretty strait-forward to set up but, before you start, you need to do a little research and investigation into your device
- You need to determine the maximum CPS or connections per second your device can handle. This is a list of devices and their specs on the Palo Alto Networks site. https://www.paloaltonetworks.com/products/product-selection
- Next you will want capture some metrics around how many CPS your devices are seeing. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps
- Next you will want to do a few calculations and configure your zone protection profile. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles
Here is the "Cool SH*T Props" to Palo Alto Networks...when you create a zone protection profile, by default under the Packet Based Protection > and > 'TCP Drop the TCP SYN with Data' and 'TCP SYN ACK with Data' are already checked. This means when you apply your newly configured zone protection profile to your security zone it will protect you from current Middlebox vulnerability by dropping any of the cleverly crafted SYN packets because they would be larger then 0 bytes.
Yeah!
So I wanted to post a little bonus. Here is a quick and easy flood protection calculator I threw together in google sheets, just add your average CPS.
Enhanced Data Visualization Dashboard using Splunk
Directions:
- Log into Splunk and go to Search
- Click on Dashboards and Create a new Dashboard
- Once you have created your new dashboard go to edit and select source tab on the top
- Clear out the default text in the dashboard and copy and paste the dashboard from GitHub.
- Before you save the dashboard you will need to identify your Palo Alto firewall host= fields to populate the field2 drop down menus, I have space holders firewall-1, firewall-2, etc. configured currently
You should be good to go!
So SolarStorm the SolarWinds supply chain hack... Yeah.... You might have heard about it?
SolarWinds supply chain was compromised. What that means is a trojanized version of a SolarWinds package was uploaded and distributed to their clients . The infected package contained malware named SUNBURST, and when clients installed the infected package it also installed the malware. The malware creates a backdoor to allow the bad actors to control the server, move laterally, and exfiltrate data. Basically what ever they want....
Updated Solarwinds Attack Lifecycle:
What should you do now:
As information starts to come out and the initial freak out calms down we are learning more about the impact of these exploits, and they are pretty huge. I wanted to gather a collection of information and vendor responses in one place to try to help fellow nerds have a resource of reliable information.
SolarWinds
- Security Advisory https://www.solarwinds.com/securityadvisory
Fireeye Links
- Initial write up about the Sunburst https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- Counter Measures https://github.com/fireeye/sunburst_countermeasures
- Emergency Directive https://cyber.dhs.gov/ed/21-01/
Palo Alto Networks Unit 42
- Analysis of Sunburst https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
- Information https://blog.checkpoint.com/2020/12/16/solarwinds-sunburst-attack-what-do-you-need-to-know/
Cisco Networks
Splunk
- Response and Identification tool https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Mcafee
Microsoft
- Pretty tough to get through :( https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
- **Customer Guidance: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
Infoblox
Elasticsearch (Elastic Security)- Response and Identification tool https://www.elastic.co/blog/elastic-security-provides-free-and-open-protections-for-sunburst
- **Assessing the SolarWinds hack with their tool: https://www.crowdstrike.com/blog/tech-center/assess-solarwinds/
- sudo nano /etc/sysctl.conf
- net.ipv4.ip_forward = 1
- sudo sysctl -p
The WireGuard configuration is as simple as setting up SSH. A connection is established by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. WireGuard sets up standard network interfaces (such as wg0 and wg1), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as ifconfig and ip. I was going to post a guide but there are so many good guides already on the internet just google it. Also the official documentation is really good and has some install guides as well.
Enjoy, be safe, support and contribute to WireGuard.









