Cisco Prime Infrastructure Certificate Validation Vulnerability

A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI.

The vulnerability is due to improper validation of the server SSL certificate when establishing the SSL tunnel with ISE. An attacker could exploit this vulnerability by using a crafted SSL certificate and could then intercept communications between the ISE and PI. A successful exploit could allow the attacker to view and alter potentially sensitive information that the ISE maintains about clients that are connected to the network.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-prime-validation

Security Impact Rating: High

CVE: CVE-2019-1659

Related:

  • No Related Posts

Cisco SPA112, SPA525, and SPA5x5 Series IP Phones Certificate Validation Vulnerability

A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation.

The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ipphone-certs

Security Impact Rating: Medium

CVE: CVE-2019-1683

Related:

  • No Related Posts

Cisco Firepower Threat Defense Software SSL or TLS Denial of Service Vulnerability

A vulnerability in the detection engine of Cisco Firepower Threat Defense Software could allow an unauthenticated, remote attacker to cause the unexpected restart of the SNORT detection engine, resulting in a denial of service (DoS) condition.

The vulnerability is due to the incomplete error handling of the SSL or TLS packet header during the connection establishment. An attacker could exploit this vulnerability by sending a crafted SSL or TLS packet during the connection handshake. An exploit could allow the attacker to cause the SNORT detection engine to unexpectedly restart, resulting in a partial DoS condition while the detection engine restarts.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-fpwr-ssltls-dos

Security Impact Rating: Medium

CVE: CVE-2019-1691

Related:

  • No Related Posts

Cisco Web Security Appliance Decryption Policy Bypass Vulnerability

A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied.

The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass

Security Impact Rating: Medium

CVE: CVE-2019-1672

Related:

  • No Related Posts

Can ProxySG ‘uplevel’ a TLS connection to an internet website?

I need a solution

I have a legacy client on my network that needs to connect to an internet website that is disabling support for TLS 1.0 and 1.1.  This client is not capable of making connections higher than TLS 1.0, though.  It uses the ProxySG explicitly with a CONNECT, but I can route the traffic to get it there transparently as well if needed.  Is there a way in the ProxySG to cause the Proxy -> OCS connection to be TLS 1.2 even though the Client -> Proxy connection is TLS 1.0?

I found one knowledge entry that looks like it’s specific to making the reverse happen, but I think this is more of a source/dst/action rule (https://support.symantec.com/en_US/article.TECH248…).  I tried it anyway with the client.negotiated.ssl.version set to TLSV1 and it resulted in a ‘n/a’ in a policy trace.

Anyone know if there’s a way to do this?

0

Related:

  • No Related Posts

“Cannot complete request” when logging on via NetScaler using dual factor authentication and SSON to StoreFront Server 3.14

The certificate hash shown did not match the one binding to the SSL port 443 in IIS (correct cert hash starts with 89BA19BD4…)

Delete the legacy certificate causing errors via CLI command

Netsh http delete sslcert ipport=0.0.0.0:443

Note: The legacy certificate was associated with another set of StoreFront servers (3 SF servers) instead of the new certificate created for this new set of 2 SF servers.

Validation

When issuing the CLI command:

“netsh http show sslcert” – we now see that the certificate is gone

When testing logging on to the NetScaler, we were able to SSON to SF server using the 2 factor authentication in place and keeping the setting “Enable Loopback Communication” set to ON (Under SF – Edit Receiver for Web Site – Advanced Settings)

Related:

  • No Related Posts

Receiver for HTML5 – Unable to Launch Apps Using HTTPS URL

When Receiver for HTML5 is hosted on a https site (default and recommended), non SSL/TLS websocket connections are prohibited by browsers.

In explaining the technical reason behind this it is important to understand the following two principles:

1. As opposed to existing as a separate process, Citrix Receiver for HTML5 operates within the frame and process space of the browser itself. As such the browser has the ability to enforce certain security parameters.

2. Additionally, when any Receiver (or Workspace App for newer versions) makes a connection to a VDA for either a published desktop or app, the underlying connection is made to the VDA and not the Storefront server as any kind of intermediate proxy.


This second point is less obvious in the case of Citrix Receiver for HTML5 because the published desktop or app displays within the browser frame and “appears” to be connected via the Storefront server. Despite this appearance though, the underlying TCP/UDP connection is still between the client and the VDA. If the Storefront base URL is SSL enabled (where it begins with https as is best practice) and the VDA is not SSL enabled (which it is not by default) the browser in this case will prevent the connection due to what it sees as an underlying inconsistency. The inconsistency is that while the URL shown in the browser frame is prefixed with https, the actual underlying connection is not https even though it is not obvious to the user.

There are two solutions for this.

Solution 1 is to enable SSL on the VDA using one of these guides:

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/tls.html#configure-tls-on-a-vda-using-the-powershell-script

https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/

This will ensure that the connection path is SSL enabled between the internal client and the VDA.

Solution 2 is to have your connections from the clients first go through a Netscaler Gateway. Netscaler Gateway will proxy the connections and perform a SSL handshake between the client and the Netscaler. In this scenario there is no inconsistency and connections via HTML5 Receiver will succeed.

Related:

SD-WAN Zero Touch Deployment: Status: Waiting for appliance to connect

  1. Verify that the appliance is properly cabled and has Internet connectivity

  2. Verify if the appliance has access to ZTD service by running the following curl request from root account:

    curl -X GET https://sdwanzt.citrixnetworkapi.net/root/sdwanzt/v1/version

Sample Successful Output

User-added image

Sample Failed Output:

User-added image


3. In addition to curlrequest, you can also verify if the appliance is able to access the following 3 FQDNs on TCP port 443:

https://sdwanzt.citrixnetworkapi.net

https://trust.citrixnetworkapi.net

https:///download.citrixnetworkapi.net

Sample Successful Output

$ telnet sdwanzt.citrixnetworkapi.net 443

Trying 52.4.199.234…

Connected to sdwanzt.citrixnetworkapi.net.

Escape character is ‘^]’.

$ telnet trust.citrixnetworkapi.net 443

Trying 52.4.199.234…

Connected to trust.citrixnetworkapi.net.

Escape character is ‘^]’.

$ telnet download.citrixnetworkapi.net 443

Trying 52.4.199.234…

Connected to download.citrixnetworkapi.net.

Escape character is ‘^]’.

Sample Failed Output

telnet: could not resolve sdwanzt.citrixnetworkapi.net/443: Name or service not known

telnet: could not resolve trust.citrixnetworkapi.net/443: Name or service not known

telnet: could not resolve download.citrixnetworkapi.net/443: Name or service not known

User-added image

telnet: Unable to connect to remote host: Connection refused

User-added image

telnet: Unable to connect to remote host: No route to host

User-added image

Related:

  • No Related Posts

Can HTTPS be monitored with Network Monitor 15.1?

I need a solution

Hi,

I have 2 detection servers Network Monitor 15.1 in 2 different core switches but checking the incidents HTTPS are generated without having the HTTPS protocol enabled, someone can explain me why it generates this type of incidents or within this new version it already detects the encrypted traffic HTTPS Network Monitor natively.

Thanks and regards.

0

Related:

  • No Related Posts