Archive for the ‘network security’ Category
Cynet is offering unhappy competitors’ customers a refund for the time remaining on existing contracts
One of the most devastating aspects of the recent WannaCry ransomware attack was its self-propagating capability exploiting a vulnerability in the file access protocol, SMB v1.
Most enterprises defences are externally-facing, focused on stopping incoming email and web attacks. But, once attackers gain a foothold inside the network through malware, there are very few security controls that
Admit it. Who would not want their firewall maintenance grunt work to go away?
For more than 20 years, companies either managed their edge firewall appliances or had service providers rack-and-stack appliances in their data centers and did it for them.
This was called a managed firewall — an appliance wrapped with a managed service, often from a carrier or managed security service provider
As governments and enterprises migrate toward controller-based architectures, the role of a core network engineer are evolving and more important than ever.
There is a growing number of jobs in Networking, but if you lack behind, you need to pass some certification exams to enter into this industry and get a significant boost in your IT career.
If you are looking forward to making career
OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, the Encrypt-Then-MAC renegotiation crash that can cause a denial of service.
Before SSL/TLS encrypts data, it runs the Handshake and ChangeCipherSpec protocols.
During the Handshake phase, the client and server decide which encryption algorithms to use. Once the negotiation is done, the client and the server send each other a ChangedCipherSpec message, after which the traffic is encrypted with the negotiated algorithms.
Encrypted data is sent in one of two ways along with the message authentication code (MAC) in SSL/TLS.
- MAC-then-encrypt: This method calculates the MAC of the plain text, concatenates it with the plain text, and runs the encryption algorithm over it.
- Encrypt-then-MAC: The cipher-text is generated by encrypting the plaintext and then appending a MAC of the encrypted plaintext.
If the ClientHello message does not contain an Encrypt-Then-Mac extension, then the default is MAC-then-encrypt mode. If ClientHello has an Encrypt-Then-Mac extension, the server will compute the MAC after encrypting the data.
If the client or server wish to change the algorithms used for encryption, they can renegotiate the Cipher_Suites that they have already agreed upon. This can occur any time during data transfer by initiating a new Handshake, which takes place over an existing SSL connection.
Triggering the vulnerability
OpenSSL offers this explanation:
“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.”
Say the client starts a TLS handshake with the server using the default MAC-then-encrypt mode. If the client later renegotiates with the Encrypt-then-MAC extension enabled and sends encrypted data in that mode before the ChangeCipherSpec message, the server will crash, causing a denial of service.
When the client triggers this vulnerability, the server crashes at the ssl3_get_record function, in the ssl3_record.c file:
The crash occurs at line no. 352, when checking to see if mac_size is less than EVP_MAX_MD_SIZE (64 bytes):
The if statement preceding the assertion checks whether the Encypt-then-MAC flag is set in the server. The macro in the if condition:
The flag TLS1_FLAGS_ECRYPT_THEN_MAC is already set when the ClientHello packet is sent with the Encrypt-then-MAC extension at the time of renegotiation. So the control will go inside the if condition. But because the ChangeCipherSpec message has not yet passed to the server, it does not know it must use Encrypt-then-MAC.
Putting a break point at line no. 352 and checking the mac_size variable shows us the value 0xffffffff, which is greater than EVP_MAX_MD_SIZE (64). Thus the assertion fails and the server crashes.
Let’s go to the code and find how the mac_size variable gets the value 0xffffffff. The EVP_MD_CTX_size function calculates the mac_size.
It returns -1 when the message digest value is null. 0xffffffff is the two’s complement of -1. This means “s->read_hash” returns null as the server tries to calculate the hash using the MAC-then-encrypt mode.
Users of McAfee products are protected from this attack by signature 0x45c09700. All administrators should update OpenSSL to the latest version.
Thanks to Hardik Shah for helping me with this post.
The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.
The term “firewall” has been used since early computing days to describe a kind of electronic bouncer that keeps threats from entering your network. But it would be a mistake to think that this fundamental network security measure is now old school. With the recent boom in internet-connected devices, firewalls are more important than ever.
Firewalls work by examining and filtering all the information coming in through your internet connection. They represent an important first line of defense because they can stop a malicious program, or attacker, from gaining access to your network and information before any potential damage is done.
Firewalls come in two forms: either as a software program that you install on your computer, or as part of a piece of hardware, like a router, that monitors access to all of the devices with which it connects. In an ideal situation, you would have both.
Software firewalls are important because they allow you to keep your computer protected even if you take it to another physical place, like your office. Plus, software firewalls can be customized to block unsafe applications, setup safe printer sharing, and other options.
That said, a hardware firewall is also necessary if you have a number of computers and devices in one location. A hardware firewall allows you to filter access to all of these devices from one piece of equipment. You will just need to consult your manual to configure it correctly and adjust a few settings.
Hardware firewalls provide essential security for the Internet of Things (IoT), like smart thermostats and smart light bulbs. This is because these new devices often come with weak security features, leaving your network vulnerable if the devices aren’t secured by a firewall.
Take, for instance, the large-scale attack in late 2016 that took down many popular websites. The attackers used thousands of infected webcams, smart fridges, DVRs and other IoT devices to flood the websites with traffic. The devices used in the attack were consumer devices, like yours, left unprotected.
The simple truth is that the more connected we become, the more vulnerable we are to security threats, making the smart use of firewalls even more important.
Here are a few tips to make sure that you stay protected:
- Secure your computers with a software firewall, like the one included in the McAfee LiveSafe ™ service. In addition to firewall protection, McAfee LiveSafe™ gives you the extra advantage of providing antivirus and threat protection for all your devices, including smartphones and tablets.
- Use the hardware firewall that is built into your home router or gateway. Consult the manual that came with your router, or do a quick online search to find steps to walk you through the setup.
- Know that each new internet-connected device you bring into your home is a potential avenue of attack. Make sure to reset any default passwords, and keep those devices current with the latest manufacturer updates.