Cisco Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning Vulnerability

A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances.

The vulnerability is due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when Disable Remote Endpoint Learning has been enabled. This can result in a Remote (XR) entry being created for the impacted endpoint that will become stale if the endpoint migrates to a different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be relearned by another mechanism.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nexus-aci-dos

Security Impact Rating: Medium

CVE: CVE-2019-1977

Related:

  • No Related Posts

PII Data Discovery and Methodology

I need a solution

All,

Looking to get guidance on data discovery scans I would to perfrom in a large enterprise envrionment that highly sensitive organization. We are looking at 500+ servers (File and Databases) and 3000+ endpoint laptops/desktops. The goal is to discover PII data on these target systems. The goal is to perfrom discovery scans on the target endpoints while limiting the network impact and impact on the target systems. 

Currently I am stuck between using IDM and EMDI and trying to understand if Keyword matching or RegEx utilization will be sufficient to discover PII without impacting the network. The challange here with IDM and EMDI is creating the data source indexs and there are challanges in terms of scability. Any guidance on the approach to take in performing ONLY data discovery would be appreciated. Thank you.

Are there any guides that explain how to scale DLP envrionment in terms of adding endpoint and network discover servers when going from TBs of data to PTs of data? 

0

Related:

  • No Related Posts

how to disable cancellation notice- SBE 2013

I need a solution

I transitioned to SEP C from SBE. My endusers recieved the notification below, how do I disable? 

Dear-

X reseller no longer manages your account. As a result, your Symantec Endpoint Protection Small Business Edition subscriptions provided by your managed service provider have been cancelled. This means that your account is in a suspended state:

• Your ELS keys are expired
• Your deployed Endpoint Protection agents no longer receive updates

Your action is required to restore Endpoint Protection services to your organization. For 60 days, your Endpoint Protection agents function without updates. You can:

• Renew your services through the Symantec e-store
• Renew your services through another managed service provider

If you feel you have received this email in error, either:

1. Contact your reseller or managed service provider for more information.
2. Contact Customer Support.

0

Related:

  • No Related Posts

Endpoint Protection File ID

I need a solution

I used below endpoint to upload the file from SEP to SEPM so I want to fetch uploaded data I used this endpoint (command-queue/file/{file_id}/details) to do that but it needs to file_id; but the first endpoint only returns the command_id.. Please someone help me to get the file_id. 

1.api/v1/command-queue/files

0

Related:

  • No Related Posts

SEP 12.1 Will Reach End of Standard Support Life on 3 April 2019

I do not need a solution (just sharing information)

Just raising awareness: 

End of Support Life for Endpoint Protection 12.x

https://www.symantec.com/connect/blogs/end-support-life-endpoint-protect…

http://www.symantec.com/docs/TECH239769

Definitions will continue for two additional years, but after the 3rd of April SEP 12.1 will not be receiving any bug fixes, enhancements or improvements. All of those new features and technologies will be included in more recent product releases.  So: it’s time to think about a calm and well-managed migration to SEP 14, in case the process has not already begun!   
 

0

Related:

  • No Related Posts

How to investigate C2/Generic-C Detection

This article describes the steps to quickly identify the source of a C2/Generic-C alert on an Endpoint by investigating on the Sophos XG Firewall.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Central Windows Endpoint

Sophos Central Managed Server 1.5.6

Sophos XG Firewall

C2/Generic Detection Explained article explains the types of C2/Generic-* detection Sophos products can generate.

If a machine goes into a Bad Health state on the Central Dashboard due to a C2/Generic-C detection it will show up in Events:

Note that the XG Firewall detected a communication attempt from an endpoint towards a known malicious website and not the Sophos Endpoint present on the machine. As soon as it detected this communication, it blocked the connection, flagged a C2/Generic-A on the XG firewall and passed this information via Heartbeat to the endpoint. A C2/Generic-C on the endpoint is the ultimate result of this process.

The Events on the Central Dashboard or Sophos logs on the endpoint may not help you to find out what triggered this detection.

The clue lies on the XG Firewall. Open your XG Dashboard and navigate to Monitor and Analyze > Reports > Networks and Threats.

Filter by Advanced Threat Protection and the date of the detection events:

This area helps us understand more about the detection.

IP of the Machine which caused the detection: ***.***.12.134

DNS server configured on the machine: ***.***.11.10

If you look closely at the Event Last Seen column, the time difference between the alerts are minimal. This proves that the endpoint had requested a DNS resolution of this malicious URL towards the DNS server. The resolution request from the DNS server was intercepted by the XG firewall and blocked. The IPS module of the XG also intercepted a malicious connection attempt from the machine.

On the Central Dashboard, if we further check the Events on the machine, we could see several URLs bypassed by the user:

Although the redacted URL above isn’t the same as the one categorized by us as a malicious website, we can deduce a conclusion based on the Top Level Domain in picture here which is .cz.

So it’s safe to assume that a user might have unknowingly landed on a webpage which resulted in this DNS resolution of a known malicious website.

  • Sophos advises to have a good Web Filtering solution in-place at the perimeter because the Endpoint Web Control protects you with basic security most of which revolves around their Categorization. If you’re actively using Endpoint Web Control, we advise configuration changes to only allow Productivity related categories.
  • A full system scan on the endpoint to ensure that there are no malware remnants followed by a reboot.
  • Go to Central Dashboard > Machine > Status > The Alert can be Mark as Resolved.

Note: This was a demonstration of quite a simple scenario. There could be potentially advanced attacks which the XG may be mitigating but this article serves as a base-line for IT administrators to kick-off their investigation. If the alerts persist on the XG or the Central Dashboard, please contact Sophos Support.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Free Webinar Feb 13, 2019: Redefining Endpoint Security

I do not need a solution (just sharing information)

Just raising awareness: 

Redefining Endpoint Security – How to Better Secure the Endpoint
https://www.symantec.com/about/webcasts

Symantec Unites Superior Protection, Automation and Artificial Intelligence in its most Advanced Endpoint Security Solutions.
As attackers become more sophisticated, advanced protection and hardening are necessary for added layers of security.
Join our webinar for first-hand insights on the newest cloud-delivered endpoint security solutions and hear from Joakim Liallias, Symantec and special guest speakers Sundeep Vijeswarapu from PayPal and top industry analyst Fernando Montenegro, 451 Research as they discuss:
• How to gain a better understanding about the trends that are driving the need for a more comprehensive endpoint security approach.
• How PayPal is using Symantec Endpoint Security to protect their endpoints.
• How Symantec is redefining endpoint security with its new complete cloud-delivered endpoint defense:
– Introducing never seen before innovation to deliver best-in-class prevention
– Hardening Detection and Response to help customers achieve superior threat prevention,
– Quicker identification of attackers and more tightly integrated technology and human expertise lead to better response and faster remediation
– Security professionals and IT teams are strapped for time – streamlined management and automation will reduce significant burden
Don’t miss this great opportunity to get the latest information on taking steps towards simplifying Endpoint Security for your organization
0

Related:

  • No Related Posts