Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2

Resumo:

Varias vulnerabilidades novas afetam o WPA2.

Abaixo os CVEs:
1. CVE-2017-13077: reinstallation of the pairwise key in the 4-way handshake
2. CVE-2017-13078: reinstallation of the group key in the 4-way handshake
3. CVE-2017-13079: reinstallation of the integrity group key in the 4-way handshake
4. CVE-2017-13080: reinstallation of the group key in the group key handshake
5. CVE-2017-13081: reinstallation of the integrity group key in the group key handshake
6. CVE-2017-13082: accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it

Impacto

Ataques de Man-in-the-Middle

Produtos afetados

1. FortiGate:

* FortiGates não são afetados pelo CVE-2017-13082

* Todos os outros (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-1308) afetam os Fortigates com as versões abaixo:

** Branch 5.6: FortiOS 5.6.2 e anterior.

** Branch 5.4: FortiOS 5.4.5 e anterior.

** Branch 5.2: FortiOS 5.2.11 e anterior.

** Versões anteriores: Todas as versões.

2. FortiAP:

Essas questões só podem afetar FortiAP trabalhando como mesh. Especificamente:

* FortiAP não é afetado pelo CVE-2017-13082.

* Todos os outros  CVEs (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-1308) afetam os FortiAPs rodando as versões abaixo:

** Branch 5.6: FortiAP 5.6.0

** Branch 5.4: FortiAP 5.4.3 e inferior.

** Branch 5.2: FortiAP 5.2.6 e inferior.

** Versões anteriores:Todas as versões.

 

Solução

Para  os modelos de FortiGate Wifi  usando modo Wifi :

Upgrade para uma versão especial da 5.6.2  build[*] ou upgrade do FortiOS para  5.2.12, 5.4.6 or 5.6.3

Para FortiAP usando “mesh leaf”:

Upgrade para FortiAP 5.6.1 ou próxima versão do  FortiAP 5.2.7 ou 5.4.4

[*] Fale com o seu TAC local para solicitar a build especial corrigida com base no FortiOS 5.6.2.

http://fortiguard.com/psirt/FG-IR-17-196

www.trtec.com.br

W32/WannaCryptor.B!tr

A fortinet já atualizou sua base de vacinas com a assinatura para o W32/WannaCryptor.B!tr

 

W32/WannaCryptor.B!tr is classified as a trojan.
A trojan is a type of malware that performs activites without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
The Fortinet Antivirus Analyst Team is constantly updating our descriptions. Please check the FortiGuard Encyclopedia regularly for updates.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

 

https://fortiguard.com/encyclopedia/virus/7362428/w32-wannacryptor-b-tr

 

O IPS também pode ser utiliazado

MS.SMB.Server.SMB1.WriteAndx.Trans2.Secondary.Code.Execution

Description

This indicates an attack attempt to exploit a Remote Code Execution vulnerability in Microsoft SMB Servers.
The vulnerability is due to an error when the vulnerable software handles a maliciously crafted SMBv1 request. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted request.

Affected Products

Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows 10
Microsoft Windows RT
Microsoft Windows RT 8.1
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012 R2 (Server Core)
Microsoft Windows Server 2016

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

Recommended Actions

Apply the most recent upgrade or patch from the vendor.
https://technet.microsoft.com/library/security/MS17-010

CVE References

CVE-2017-0145

 

https://fortiguard.com/encyclopedia/ips/43797

 

www.trtec.com.br

FortiOS 5.6 Saiu!!!!

A Fortinet acaba de liberar uma nova versão do FortiOS 5.6.

O principal foco da versão é o Security Fabric.

Pode ser visto alguns detalhes neste vídeo ainda quando a versão era beta.

https://video.fortinet.com/video/250/fortinet-security-fabric-demo-5-6-beta-2

Para quem ficou com vontade conhecer mais sobre ela, segue o PDF com detalhes:

http://docs.fortinet.com/uploaded/files/3602/fortigate-whats-new-56.pdf

www.trtec.com.br

Formatando o Fortigate e restaurando Firmware

Para Formatar um FortiGate via TFTP, precisaremos dos seguintes itens:

– Cabo de Rede

– Cabo Console

– Software TFTP

– Software PUTTY

– Interface serial no computador ou um conversor Serial USB, (não podemos utilizar o FortiExplorer via usb para acesso ao FortiBIOS).

O Download dos Softwares estão disponíveis nos links abaixo:

PUTTY: https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

TFTP: http://tftpd32.jounin.net/download/tftpd32.452.zip

1 – O primeiro Passo, é conectar o Cabo Console, na porta CONSOLE do seu FortiGate e conectar em seu PC.

2 – Após isso, abra o Software PUTTY no PC, e em seguida ligue o FortiGate.

3 – Note que, você conseguirá ver através da Console, o FortiGate iniciando.

Continue lendo “Formatando o Fortigate e restaurando Firmware”

FortiGuard Threat Intelligence Brief

A Fortinet Lançou um novo serviço que traz informações sobre as ameaças mais ativas da ultima semana, proporcionando assim uma visão de quais são as principais preocupações em nosso ambiente.

Segue o relatório desta semana

Activity Summary – Week Ending July 29, 2016

We’ve reached peak summertime (in the Northern Hemisphere, at least), and with that a large portion of workers around the world have left for extended summer vacations. With that, global malware detections among customers have decreased sharply over previous weeks. If cybercriminals can’t get people to open emails or click on links, it becomes difficult for them to find new victims.

 

We discussed in previous briefs a spike in attempts to exploit the CVE-2014-6271 Bash vulnerability. This week we continue to see similar results, suggesting to us that a campaign to discover and exploit vulnerable Unix and Unix-like systems continue. Ensuring you have a robust and agile vulnerability management program is critical to mitigating these largely automated attacks.

 

A unique HTML-based threat emerged this week, and quickly ramped up volume to the top of our lists. We will discuss more on this in the coming paragraphs.

 

Malware Activity

Rank Name Volume
1 HTML/Refresh.BC!tr 1,306,781
2 WM/Agent.BJC!tr.dldr 1,159,850
3 JS/FLoader.DRY!tr.dldr 1,113,100
4 JS/Nemucod.0971!tr 710,695
5 W32/BackDoor.Prosiak.65 476,399

Locky ransomware continues to attack – while volumes compared to previous weeks have declined, the evil Locky ransomware continues to attempt to extort unwitting victims. Admittedly it is a testament to Locky’s effectiveness that criminals have latched on so completely to it, leaving most other ransomware families behind. We are seeing new WM/Agent variants (especially .BJC!tr.dldr) as well as new variants of Nemucod (.0971!tr, among others) that are all being used to distribute Locky.

It is critical to ensure endpoint devices have recent and regular offline backups. Most modern ransomware will also seek remote drives and network shares and encrypt any content it can overwrite. Limiting access to these shares and doing regular access and permission reviews can also help localize damages.

 

“Refresh” appears – HTML/Refresh.BC!tr and some variants appeared on our radar this week. These variants are designed to trick a victim’s Internet browser into redirecting to a specific site of the attacker’s choosing, where they will attempt to use drive-by-download techniques (as well as others) to serve additional malware to the victim.

 

Application Vulnerabilities / IPS

Rank Name Volume
1 Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass 8,673,249,847
2 MS.DNS.WINS.Server.Information.Spoofing 2,435,693,216
3 NTP.Monlist.Command.DoS 236,878,192
4 IPv4.Invalid.Datagram.Size 188,139,345
5 SNMP.Spec.Violation 183,619,882

Neutrino exploit kit use continues to supplant Angler – Since early June, FortiGuard Labs has noticed a large contingent of cybercriminals have switched from using Angler to the Neutrino Exploit Kit. Angler first appeared in late 2013 and has been dominating the exploit kit market since 2015. Some of our researchers who monitor popular underground groups have found evidence that strongly points to many members belonging to the Angler group have been apprehended by authorities.

 

ASUS Routers continue to be targets – FortiGuard Labs again saw a spike in detections of ASUS.Router.infosvr.UDP.Broadcast.Command.Execution this week. This was a vulnerability originally discovered in many of the ubiquitous routers sold by ASUS for home and SMB/SOHO use. A bug in infosvr allowed an unauthenticated user to execute arbitrary commands. These devices provide ideal targets for attackers as they are usually unmonitored and often stuffed in the back of a closet somewhere, making time to detection substantial.

 

Attacks against Windows Server DNS exploit persist – Originally reported in December 2015, the MS.DNS.WINS.Server.Information.Spoofing attack has been prevalent since the beginning of 2016. This vulnerability allows remote code execution if specially crafted requests are sent to an unpatched Windows Server 2008/2012 DNS host. DNS makes for an ideal entry point if the exploit is found – FortiGuard Labs continues to detect a massive amount of these requests moving across corporate networks.

 

Web Filtering

Ransomware attackers move fast – One piece of information we noticed in the past week or two was a seemingly innocuous site with virtually no traffic to speak of suddenly spike over a period of a few days. At its peak, this small site was attempting to deliver literally hundreds of thousands of variants of the Locky ransomware to victims per day. But within a week, the traffic from that site returned to normal levels. This is likely due to many factors: ransomware attackers move through domains quickly to attempt to evade the inevitable shutdown of their subverted sites, site owners being quick to respond to malicious takeover of a sit, and cooperation among security vendors to share information to prevent further damage.

 

Nymaim bots employ fast flux – Fast fluxing is a specialized DNS method among malware authors which is designed to rapidly pivot through domains and IP addresses with the goal of doing so faster than most security products can keep up. This can make it hard for traditional defenses to keep up – by the time a defender has filtered out the malicious IP, the attackers have long since moved on to another. In one recent case, gafbqvx dot com was used to host a final payload of Nymaim. Nymaim is primarily a ransomware program designed to lock a victim out of their computer. In recent months Nymaim has also been seen delivering other malicious programs, especially financial Trojans.

 

 

Radius Single Sign-On (RSSO)

O FortiOS disponibiliza a autenticação de forma transparente através do RSSO para ambientes utilizando Radius, esse modo de operação realiza um Single Sign-ON (SSO) através de mensagens de Accounting Start e Accounting Stop para realizar o Logon e Logoff dos usuários, essas mensagens são enviadas pelo servidor que realizou o logon do usuário, exemplo um usuário realiza o logon em um serviço de WIFI e esse por sua vez envia ao FortiGate a mensagem de Accounting Start contendo algumas informações, como o nome do usuário, endereço IP, Grupo que pertence entre outros, com base nessas informações o FortiOS autentica o usuário de forma automática, sem a necessidade de interação por parte deste.

Continue lendo “Radius Single Sign-On (RSSO)”

SSL Inspection utilizando certificado do dominio

Olá pessoal, hoje iremos falar de uma dúvida que temos recebido com grande frequência, e que tem incomodado bastantes os administradores de redes!

Conforme postado anteriormente pelo nosso amigo William “post”, “-fiz o bloqueio das paginas HTTPS, funcionou perfeitamente”, legal, mas os usuários  vivem recebendo o alerta de certificado invalido, e pior que isso realmente incomoda.

Uma forma de ser resolver esse problema é utilizar o certificado assinado pelo Domain Controller, já que por padrão as estações membro desse domínio confiam nesse certificado.

Bom vamos ao que interessa.

Primeiro, vamos instalar a feature de AD-CA no Domain Controller:

 

Capture

Continue lendo “SSL Inspection utilizando certificado do dominio”

Autenticação para Usuários administrativos no AD.

Esse post foi um pedido do nosso leitor Edson para realizar autenticação do usuários administrativos ao firewall via o AD, mas não apenas a senha como é comum e sim se o usuário administrativo estiver em um grupo ele poderá  acessar a console e gerenciar o Firewall, deixamos de papo e vamos ao “tecniques”.

 

Neste post não irei falar de como configurar o LDAP pois já tem um post aqui sobre isso aqui.

Vamos direto a configuração, o nosso primeiro passo é criar um grupo local com referencia a um grupo do LDAP.

Vá em User & Device > User > User Groups > Create New

GRP

Em Remote clicamos em Create New:

GRP-2

Selecionamos o grupo que desejamos autenticar.

Agora com o Grupo criado e referenciado ao grupo de AD, podemos criar um novo usuário na sessão de Admin em System > Admin > Administrator > Create NEW

GRP-3

Adicione o nome do administrador e selecione em Type a opção remote, em User Group selecione o grupo criado anteriormente e o segredo está em Wildcard, que permite que varias contas de administrador (neste caso as contas do LDAP no grupo GRP-Tecnicos) conectem no Firewall com esse usuário.

GRP-4

Como podemos ver que consegui autenticar com o meu usuário do AD no firewall.

Fico por aqui. Abs.

 

 

5.4 logo, logo sai do Forno!

Não irei dizer nada sobre a periodicidade dos posts no blog 🙁

A nova versão do FortiOS da Fortinet 5.4 está quase pronta e assim como a 5.2 vai ser um divisor de água entre as versões do Sistema Operacional.

Para dar água na boca, segue algumas features novas e uns prints:

  • A Volta do consumo de banda por IP agora com opção de origem, destino e aplicação:

Add bandwidth column to realtime FortiView pages
The kernel has been updated to store differences in bytes sent/received over time for each session. The GUI will
use this information to calculate bandwidth on a per-session level, and will aggregate this up into FortiView in
order to display bandwidth per source/destination/application/etc.
The bandwidth column will be available on all realtime FortiView pages by default, and can be clicked on to sort in
descending order.
Continue lendo “5.4 logo, logo sai do Forno!”