Equinix Customers – New Access requirements coming in October

For anyone with equipment inside Equinix facilities you need to complete a security profile. This goes into place in October. The below is from their e-mail.

Starting in October, we will provide more efficient access to Equinix IBX locations in a globally consistent process, from the front door of the IBX to your cage. To benefit from this new process as soon as it is available, take action now!

Please complete your Security Profile in the Equinix Customer Portal (ECP) by providing the following information:

  • Add a Headshot Photo
  • Create a Global 6-digit PIN
  • Sign the Global IBX Access Form
  • Provide an Electronic Signature

Once your Security Profile is complete you will receive a unique QR code, which can be accessed via the ECP or the ECP mobile application. Beginning October 21st, you will be able to use your unique QR code at the IBX Access Kiosk for an expedited security entrance process.

Corporate vs ISP networks for the ISP

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at "Patrons Only" or higher tier
Already a Patreon member? Refresh to access this post.

Circle City Con 7.0

https://www.eventbrite.com/e/circlecitycon-70-tickets-62810947234

Continuing our year after year record breaking attendance, CircleCityCon 7.0 promises to test our limits and deliver to you a conference unique from all the others.

Since Circle 1 we have delivered trainings for free with the option to reserve a seat for a modest fee. Since Circle 2 we brought the arcades in. Since Circle 3 we have put on fun themes and stories attendees will enjoy participating in, or feel free to ignore, since Circle 4 we have put on game shows, since Circle 5 we have started adding to the villages with a hardware hacking village, we continued that in Circle 6 adding the biohacking and blue team village. We also started a job fair which we hope to continue.

What will CircleCityCon 7.0 be like? What will we do? What wonders and amazing features do we have to release? ……. Not even we know.

But in August, we will give you a peek…….

Defcon News: Vulnerable Windows Drivers

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at "Patrons Only" or higher tier
Already a Patreon member? Refresh to access this post.

Dot1x in Routeros 6.45.1

Some of you may have noticed a new menu item pop up in winbox labeled dot1x

Dot1x is implementation of IEEE 802.1X standard in RouterOS. Main purpose is to provide port-based network access control using EAP over LAN also known as EAPOL. 802.1X consists of a supplicant, an authenticator and an authentication server (RADIUS server). Currently both authenticator and supplicant sides are supported in RouterOS. Supported EAP methods for supplicant are EAP-TLS, EAP-TTLS, EAP-MSCHAPv2 and PEAPv0/EAP-MSCHAPv2.

Looking at how to use this?
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x#Application_Example

RouterOS 6.45.1 Out – Security Fixes

Mikrotik has released RouterOS 6.45.1 with some security vulnerability fixes.  Some of these have been known and fixed before, while others are new fixes

MAJOR CHANGES IN v6.45.1:
———————-
!) dot1x – added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 – added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) security – fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security – fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security – fixed vulnerability CVE-2019-13074;
!) user – removed insecure password storage;

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.

Some notes on the security Fixes
CVE-2018-1157
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.

CVE-2018-1158
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server via recursive parsing of JSON.

CVE-2019-11477/11478
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

CVE-2019-13074
This has been reserved and not been made widely public yet. Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE.  This is traditionally done to give the vendor, in this case, Mikrotik and possibly others, a chance to fix this before the exploit is released to the general public.

Rest of the Changelog available at https://www.mikrotik.com/download

Patch your Centos Machines now

Thanks to Jan Dennis Bungart for posting this on his Facebook page. Centos has a Kernel vulnerability which can be exploited to take the machine offline. To read the gory details:

https://access.redhat.com/security/vulnerabilities/tcpsack

CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)

If you want to take the time to download and run the detections script you can do so at the following link:

https://access.redhat.com/sites/default/files/cve-2019-11477–2019-06-17-1629.sh

I copied this script. Created a file on the server named “detect.sh” did chmod 755 and chmod +x on it and then ran it. I did this on one system to see if I needed to do a reboot after the kernel patches were applied or not.  You do need to do a reboot.   After that, I just installed the updates on each machine and rebooted them.

Router Vulnerability roundup for April 2019

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at "Access to patro..." or higher tier
Already a Patreon member? Refresh to access this post.