Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability

A vulnerability in the packet filtering features of Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to bypass L3 and L4 traffic filters.

The vulnerability is due to improper traffic filtering conditions on an affected device. An attacker could exploit this vulnerability by crafting a malicious TCP packet with specific characteristics and sending it to a target device. A successful exploit could allow the attacker to bypass the L3 and L4 traffic filters and inject an arbitrary packet in the network.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-sd-wan-bypass

Security Impact Rating: Medium

CVE: CVE-2019-1951

Related:

  • No Related Posts

SEP Cloud blocking Google Remote Desktop

I need a solution

We have a strange situation at our workplace and we need some help.

We’ve been using the older version of chrome remote desktop, which has been working great (and still does).

Recently chrome remote desktop has been upgraded to a web only interface, and it reccomends users to stop using the old chrome extension and rely exclusively on the new web interface at remotedesktop.google.com.

While the older version still works, we cannot seem to be able to connect to any machine behind our firewall (Unifi USG) while it has Symantec Cloud installed.  It’s very strange, as we’ve experimented with several combinations, and the USG and Antivirus seem to be the problematic variables.  If the antivirus is NOT installed on a machine within our network, we can connect fine.  Also, if the machine is outside of our network, but has the Antivirus installed, it will also connect just fine.  It is only when we combine Symantec Cloud WITH our USG firewall that the connection is blocked.  Individually, neither presents a problem.  It’s difficult to know which is the weak link in the chain.

We’ve tried creating a test group within Symantec and loosening the policies, going so far as to disable all functionality entirely, and disabling the firewall (for testing purposes), but no matter what, if the machine has the Symantec Cloud Endpoing Protection installed, it seems to prohibit remotedesktop.google.com from connecting from behind our firewall.

Our firewall is relatively simple, allowing established traffic and blocking unsolicited inbound connections, and it puzzles me what turning off the Symantec firewall didn’t solve the problem.  We even went so far as to temporarily disable windows firewall entirely.  

According to the remotedesktop.google.com help page, it functions over:

  • Outbound UDP traffic
  • Inbound UDP responses
  • Traffic on TCP ports 443 (HTTPS) and 5222 (XMPP)

Is it possible that Symantec is blocking use of those protocols, even when the firewall is disabled?

Any help would be appreciated.

0

Related:

  • No Related Posts

SEP 15 Firewall Report Inbound Attack Sources?

I need a solution

We just noticed that our weekly Firewall Report (default) is showing a bunch of internal IP addresses as our top sources of inbound attacks. We’re trying to understand this and not having any luck finding any further information about this report. Looking on the console, I don’t see any security events that match up with these addresses. Does anyone have any clue about this, or can you point me to any documentation? Trying to figure out why/how we’d have our own machines as our top attack sources without this activity showing up in our alerts and security events. I know that some kinds of scans can get flagged as attacks, so it’s possible that these are false positives, but not finding any way to verify this.

Also not sure if this is the right forum to post about SEP 15, but the cloud console link took me here, so…

Thank you!

0

Related:

  • No Related Posts

Traffic generated by the proxy SG with high dst ports 40xxxx to 60.xxx

I need a solution

Hi  BC Community,

Analyzing different types of traffic in our network (proxys, firewalls, snort), we detected connections generated by our proxy to the internal network (not internet – pub segment). These communications are made through ports dst high 40.xxx to 60.xxx.  Could  someone tell us what kind of traffic is this or why it is generated?.

Kinddly Regards

Security Team 

0

1562155950

Related:

  • No Related Posts

Web pages not displaying properly

I need a solution

I have a deployment with two ProxySG S500-10’s outside of the firewall. All internal users get NAT’ed. External users are not. The proxies are native to the windows domain. All internal users are authenticated.

Web pages like MSN appear to load properly but when you browse to a page with a slideshow, you only see the first slide and can’t go past that. Also, the little icons for Facebook and Twitter and such are present, but just the color. No logo. We have not had a FLASH license until recently and it has not been configured in WCCP yet. Right now WCCP only addresses port 80 and port 443. There is an outrageous amount of <Unidentified> traffic. Over 75%

I’m trying to put together a cogent plan to address these issues.

Any help would be greatly appreciated.

0

Related:

  • No Related Posts

SEP 14.2 interfering with Windows Firewall Security

I need a solution

Hi,

We have SEP 14.2 rolled out to some pilot users.  We do not use the SEP Firewall.  We have Windows Firewall rules active.

However, despite Windows Firewall rules being ‘On’, the Windows Security Centre complains because its looking for the SEP settings and complaining because the Symantec Firewall settings are ‘Off’.

Is there a way around this or is this just a cosmetic notification that we have to live with for now?

This was not an issue with SEP 14.0.

Images are below. 

Any help is appreciated..

0

Related:

  • No Related Posts

Unmanaged Lab Network Firewall polices – Looking for ideas

I do not need a solution (just sharing information)

We currently have 2 primary firewall policies, OnNet and OffNet.  When OnNet (on the corporate network) the Firewall is enabled but basically in Allow All mode.  When in OffNet (anywhere but the corporate network) the firewall is much more restrictive.  We have an additional unmanaged network that we are trying to figure out how to deal with.  We call it a Lab network and is a combination of corporate laptops that come and go, as well as computers and devices that could have come from anywere really, vendors, customers, etc.  Some of them are computers, some of them are instruments, etc.  Currently when on the “lab” network corporate computers are in OffNet mode.  The issue is this, computers need to talk to devices while on that network that are consistantly being blocked by the firewall.  Sometimes the corporate computer initiates the connection, sometimes the other device inititates the connection. Nothing is consistant either, IP’s ports or protocols, the use case is very broad. What we don’t want to do is just turn the firewall off when they are on this network, but there is also no easy way to define what ports and protocols need to be allowed. Does anyone have any suggestions on how to deal with this?

0

Related:

  • No Related Posts

SEP blocks NIC Teaming in Server 2019

I need a solution

Recently I installed a fresh copy of windows Server 2019 OS Build 17763.107 on my IBM System x3650M5 machine with 4 Broadcom NetXtreme Gigabit adapters. As soon as I created NIC teaming with LACP option (same on the switch side) and installed SEP version 14.2.3335.1000 for WIN64BIT i got disconnected after a restart. Further investigation showed that NIC cards individually looked fine, but the teamed NIC interface was crossed as if Network cable was unplugged.

I upgraded drivers from Lenovo, installed cumulative updates for windows, ran Symantec troubleshooter (which found zero problems related with NIC) but nothing seems to work.

Symantec support offered that some rule was blocking traffic. When we removed “block any any” traffic from firewall rules, Teamed NIC started up. Same happened when we just disabled firewall module. 

I had server 2012R2 installed prior to 2019 on this machine and it never had such problem. couple years ago I tried to upgrade it to 2016, but I encountered the same “Cable unplugged” problem with NIC teaming and didnt troubleshoot it too much, since it was only for evaluation purposes.

Any ideas? Maybe any of you encountered the same problem and more importantly: solved it without just uninstalling SEP for good? 😀

0

1561010667

Related:

  • No Related Posts