Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability

A vulnerability in the packet filtering features of Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to bypass L3 and L4 traffic filters.

The vulnerability is due to improper traffic filtering conditions on an affected device. An attacker could exploit this vulnerability by crafting a malicious TCP packet with specific characteristics and sending it to a target device. A successful exploit could allow the attacker to bypass the L3 and L4 traffic filters and inject an arbitrary packet in the network.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-sd-wan-bypass

Security Impact Rating: Medium

CVE: CVE-2019-1951

Related:

  • No Related Posts

SEPM Live Update Error: “…could not update Symantec Endpoint Protection Manager Content Catalog 14.2”

I need a solution

Problem: Live Update on both SEPMs started giving the error, “Symantec Endpoint Protection Manager could not update Symantec Endpoint Protection Manager Content Catalog 14.2,” nearly 2.5 days ago. The logs have:

08/01 09:16:40 [1fac:1820] NONE        SesmLu SesmLuObjects DownloadedContent attribute read error: ClientMoniker, 6, Msg: Invalid pointer, hr: 80004003

08/01 09:16:33 [2960:280c] WARNING     SesmLu SesmLuObjects WARNING: DownloadedContent {22F6E1E7-C0A8-5601-231C-63C505180278} not found in content catalog, reading LUDCA.xml further

08/01 09:16:33 [2960:280c] NONE        SesmLu SesmLuObjects DownloadedContent attribute read error: ClientMoniker, 6, Msg: Invalid pointer, hr: 80004003

08/01 09:16:33 [2960:280c] WARNING     SesmLu SesmLuObjects WARNING: DownloadedContent {D3376E34-0A4B-0378-40BB-F90B3C7D94A4} not found in content catalog, reading LUDCA.xml further

08/01 09:16:33 [2960:280c] NONE        SesmLu SesmLuObjects DownloadedContent attribute read error: ClientMoniker, 15, Msg: Invalid pointer, hr: 80004003

08/01 09:16:33 [2960:280c] WARNING     SesmLu SesmLuObjects WARNING: DownloadedContent {E384F559-0A4B-0378-2A47-D5D9C12B8E18} not found in content catalog, reading LUDCA.xml further

08/01 09:16:33 [2960:280c] NONE        SesmLu SesmLuObjects DownloadedContent attribute read error: ClientMoniker, 19, Msg: Invalid pointer, hr: 80004003

08/01 09:16:33 [2960:280c] WARNING     SesmLu SesmLuObjects WARNING: DownloadedContent {C2A2A1DB-4AAF-498E-900A-3D7135B53966} not found in content catalog, reading LUDCA.xml further

Environment: Two Windows Server 2016 with 14.2.1015.0100 (waiting for 14.2 RU1 MP1 to upgrade), embedded database, and replication between them.

Support’s Proposed Solution: Break replication, run a repair on SEPM, and then run Live Update to see if error is gone

Since both SEPMs started to have the problem at the same time, I highly suspect there a problem with Symantec’s Lice Update servers and not my local SEPMs (no changes on them for months). Does this proposed solution from support make sense for this problem or do you have a better idea?

0

Related:

  • No Related Posts

Mac Clients “at risk” need admin rights…..?

I need a solution

Hi, 

i have a problem with mac clients in complete different networks. i use symantec endpoint protection cloud. after creating a install package and using all default settings from symantec the clients are “safe” and green after fresh installation.

now, a few weeks or month later “all” the clients are “at risk” at the client gui. The message is “you have to scan your machine, for this you need admin rights”.

I am investigating for month now with symantec support. they are unable to solve this problem. that drives me nuts.

In the console under : https://securitycloud.symantec.com

all clients are green and safe…..also these clients, that are “at risk” when you open the gui on the client.

Liveupdate is ok and green at the client.

All clients are mac os sierra and high sierra…

I would be very lucky if someone can help me with this. thank you !

0

Related:

  • No Related Posts

14.2 RU1 won’t install on 2008 SP2 x64

I need a solution

I’m trying to upgrade a client on a Windows Server 2008 SP2 x64 machine, but it will not install.

I see the following in the SEP_INST log

CommunicateLaunchConditions: NOT PackageIntegrityError=1
CommunicateLaunchConditions: VersionNT >= 601=0
CommunicateLaunchConditions: Symantec Endpoint Protection only be installed on Windows 7 / Server 2008 R2 and later.
CommunicateLaunchConditions:  calling communicate state with the following arguments: 
CommunicateLaunchConditions: Prodversion = 14.2.3332.1000
CommunicateLaunchConditions: PathToSylink = C:Program Files (x86)SymantecSymantec Endpoint Protection14.2.1015.0100.105SmcLUSetup
CommunicateLaunchConditions: Oldversion = 14.2.1015.0100
CommunicateLaunchConditions: ReasonStr = Symantec Endpoint Protection only be installed on Windows 7 / Server 2008 R2 and later.
CommunicateLaunchConditions: StatusCode = 302469127
CommunicateLaunchConditions: Initializing opstate communicator
CommunicateLaunchConditions:   File path = C:Program Files (x86)SymantecSymantec Endpoint Protection14.2.1015.0100.105SmcLUSetupSyLink.xml
CommunicateLaunchConditions:   Reg  path = 
CommunicateLaunchConditions: Invalid registry path for client identity
CommunicateLaunchConditions: Added OpState callback
CommunicateLaunchConditions: Added OpState provider.
CommunicateLaunchConditions: Initialized UserInfo Provider. Initialization done.
CommunicateLaunchConditions: Successfully created CVE object
CommunicateLaunchConditions: Failed to send the opstate: 0x80004005
MSI (s) (F0:88) [07:20:28:674]: Doing action: preLaunchCond
Action ended 7:20:28: CommunicateLaunchConditions. Return value 1.
MSI (s) (F0:7C) [07:20:28:690]: Invoking remote custom action. DLL: C:WindowsInstallerMSI47E5.tmp, Entrypoint: preLaunchCond
Action start 7:20:28: preLaunchCond.
MSI (s) (F0!D4) [07:20:29:767]: Note: 1: 2731 2: 0 
IDCCA:  preLaunchCond – Launch condition `7Symantec Endpoint Protection only be installed on Windows 7 / Server 2008 R2 and later.` with condition `VersionNT >= 601` failed

But in the release notes I see the following:

Windows Server 2008 (32-bit,64-bit;RTM, R2, SP1, and SP2)

Anybody seen this happen before and maybe has a solution? 

0

Related:

  • No Related Posts

SEP Cloud blocking Google Remote Desktop

I need a solution

We have a strange situation at our workplace and we need some help.

We’ve been using the older version of chrome remote desktop, which has been working great (and still does).

Recently chrome remote desktop has been upgraded to a web only interface, and it reccomends users to stop using the old chrome extension and rely exclusively on the new web interface at remotedesktop.google.com.

While the older version still works, we cannot seem to be able to connect to any machine behind our firewall (Unifi USG) while it has Symantec Cloud installed.  It’s very strange, as we’ve experimented with several combinations, and the USG and Antivirus seem to be the problematic variables.  If the antivirus is NOT installed on a machine within our network, we can connect fine.  Also, if the machine is outside of our network, but has the Antivirus installed, it will also connect just fine.  It is only when we combine Symantec Cloud WITH our USG firewall that the connection is blocked.  Individually, neither presents a problem.  It’s difficult to know which is the weak link in the chain.

We’ve tried creating a test group within Symantec and loosening the policies, going so far as to disable all functionality entirely, and disabling the firewall (for testing purposes), but no matter what, if the machine has the Symantec Cloud Endpoing Protection installed, it seems to prohibit remotedesktop.google.com from connecting from behind our firewall.

Our firewall is relatively simple, allowing established traffic and blocking unsolicited inbound connections, and it puzzles me what turning off the Symantec firewall didn’t solve the problem.  We even went so far as to temporarily disable windows firewall entirely.  

According to the remotedesktop.google.com help page, it functions over:

  • Outbound UDP traffic
  • Inbound UDP responses
  • Traffic on TCP ports 443 (HTTPS) and 5222 (XMPP)

Is it possible that Symantec is blocking use of those protocols, even when the firewall is disabled?

Any help would be appreciated.

0

Related:

  • No Related Posts

AntiVirus processes and this is triggering tamper protection

I need a solution

Our customer is using Symantec Endpoint Protection v14 (14.2) build 1023 914.2.1023.0100) and its blocking few exe’s from our product.

We are getting below exception :

[From event_log.xml…]
Scan type: Tamper Protection Scan
Event: Tamper Protection Detection
Security risk detected: D:E2EAPMTMAITM6_X64NET_CLR_VERSION64.EXE
File: C:Program Files (x86)SymantecSymantec Endpoint Protection14.2.1023.0100.105BinccSvcHst.exe
Location: C:Program Files (x86)SymantecSymantec Endpoint Protection14.2.1023.0100.105Bin
User: SYSTEM
Action taken: Access denied
Date found: Thursday, June 13, 2019 3:08:30 PM</Data></EventData><RenderingInfo Culture=’en-US’><Message> 

We are not sure why its blocking this NET_CLR_VERSION64.EXE? 

Is it a known issue in this symantec Antivirus version? Is it safe to ignore this exception or is it harmful?

0

Related:

  • No Related Posts

Domain Change

I need a solution

Dear ALL

recently I have been enfected by ransome ware any haw my Domain controller have been enfected so I changed the windows but i forget to demote the symanted server from the domain and now 

i cant access the symantec endpoint protection manager and also i cant istall the endpoint with is member of the new Domain 

0

Related:

  • No Related Posts

SEP 15 Firewall Report Inbound Attack Sources?

I need a solution

We just noticed that our weekly Firewall Report (default) is showing a bunch of internal IP addresses as our top sources of inbound attacks. We’re trying to understand this and not having any luck finding any further information about this report. Looking on the console, I don’t see any security events that match up with these addresses. Does anyone have any clue about this, or can you point me to any documentation? Trying to figure out why/how we’d have our own machines as our top attack sources without this activity showing up in our alerts and security events. I know that some kinds of scans can get flagged as attacks, so it’s possible that these are false positives, but not finding any way to verify this.

Also not sure if this is the right forum to post about SEP 15, but the cloud console link took me here, so…

Thank you!

0

Related:

  • No Related Posts

Traffic generated by the proxy SG with high dst ports 40xxxx to 60.xxx

I need a solution

Hi  BC Community,

Analyzing different types of traffic in our network (proxys, firewalls, snort), we detected connections generated by our proxy to the internal network (not internet – pub segment). These communications are made through ports dst high 40.xxx to 60.xxx.  Could  someone tell us what kind of traffic is this or why it is generated?.

Kinddly Regards

Security Team 

0

1562155950

Related:

  • No Related Posts