Cisco Email Security Appliance and Cisco Web Security Appliance Certificate Validation Vulnerability

A vulnerability in the Cisco Advanced Malware Protection (AMP) for Endpoints integration of Cisco AsyncOS for Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers.

This vulnerability is due to improper certificate validation when an affected device establishes TLS connections. A man-in-the-middle attacker could exploit this vulnerability by sending a crafted TLS packet to an affected device. A successful exploit could allow the attacker to spoof a trusted host and then extract sensitive information or alter certain API requests.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-wsa-cert-vali-n8L97RW

Security Impact Rating: High

CVE: CVE-2021-1566

Related:

  • No Related Posts

How to Configure SSL on XenDesktop Controllers to Secure XML Traffic

From XenDesktop Controller

IIS Installed on XenDesktop Controller

In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.

There are two ways to generate Server Certificates on IIS 7.x:

  • Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)

  • Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.

    User-added image

After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:

  1. Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.

    User-added image

  1. Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.

    User-added image

  1. Open Registry Editor on XenDesktop Controller and look for the following key name.

    HKEY_LOCAL_MACHINESOFTWARECitrixDesktopServer.

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

  1. Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.

    User-added image

  1. Change the XML service port.

    You can do this using PowerShell by running the following command:

    BrokerService –WiSslPort <port number>

    Note
    : If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.

IIS is not Installed on XenDesktop Controller

In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:

  • Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.

  • You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax.

    Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.

    User-added image

After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate

The following is the command that you must use:

netsh http add sslcert ipport=0.0.0.0:<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID}

To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesMYCertificates

User-added image

An alternative to obtain this certificate hash

  1. Open the Server Certificate and under the Details tab, select Thumprint:

    User-added image

  1. Obtain the GUID of the XenDesktop controller Citrix Broker Service.

  2. Open Registry Editor and select Find.

  3. Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOTInstallerProducts (see the following example):

    User-added image

  1. Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:

    Here is command to get the GUID

    Run the below command in Elevated command prompt on the DDC

    wmic product where “Name like ‘Citrix Broker Service'” get Name,identifyingnumber

    IdentifyingNumber

    ​C: >netsh http add sslcert ipport=10.12.37.231:443 certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7}

    Note
    : For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.

A successful bind looks as displayed in the following screen shot:

User-added image

From the Web Interface server

Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.

User-added image

Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).

Related:

  • No Related Posts

Error: “Certificate with key size greater than RSA512 or DSA512 bits not supported” on NetScaler

To resolve this issue, apply any or both of the following resolutions, as required:

After applying the required resolution, the additional ciphers are available and you can add a certificate that has a key size greater than 512 bits. The NetScaler appliance supports certificates with key size 512, 1024, 2048, and 4096 bits.

Related:

  • No Related Posts

Cisco IOS and IOS XE Software Common Industrial Protocol Privilege Escalation Vulnerability

A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP) and then remotely configure the device as an administrative user.

This vulnerability exists because incorrect permissions are associated with the show cip security CLI command. An attacker could exploit this vulnerability by issuing the command to retrieve the password for CIP on an affected device. A successful exploit could allow the attacker to reconfigure the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-SAP-OPLbze68

This advisory is part of the March 2021 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2021-1392

Related:

  • No Related Posts

Indicio launches blockchain-enabled network for identity

Technology provider Indicio.tech, a public benefit corporation advancing decentralized identity software and solutions, today announced the public availability of the Indicio MainNet, a professionally-staffed decentralized identity network designed for global enterprises that need a reliable platform to develop and scale identity services and products.

The development of the Hyperledger Indy-based network follows on the successful deployment of the Indicio TestNet, a market leader in decentralized identity networks.

The Indicio MainNet uses distributed ledger technology—multiple identical databases spread across different nodes—to enable the use of privacy-preserving verifiable digital credentials. This provides the foundation for flexible, portable, and permanent digital identities that are always under the control of the identity holder—the individual—and which provide an evolutionary leap forward in security.

“Our clients asked for a stable, fully-staffed network based on Hyperledger Indy— one that could provide the Service Level Agreements their customers need for mission-critical workloads,” said Heather Dahl, CEO of Indicio. “Today, we are excited to announce that this MainNet is open for business.”

“This is the network we need to accelerate adoption of passwordless zero trust ecosystems for enterprise customers” said Mike Vesey, President of IdRamp, a leader in decentralized identity and a Genesis Node Operator on the Network. “Our customers are developing service delivery ecosystems that require world class support, and leading edge features managed by a team with deep technical experience. The Indicio network provides exactly that.”

“The Indicio Network enables GlobaliD to deliver a digital identity platform that puts you in control of your identity and your data,” says Mitja Simcic, CTO of GlobaliD, one of the first companies to use Indicio’s MainNet. “Most digital identity platforms take ownership and control of your digital identity and your data for their own purposes. For instance, social media companies make money from selling your data to unauthorized third parties. Indicio is creating an ecosystem for providers that are working to make this practice obsolete. This network is bringing real change to real people, all over the world.”

The Value of Decentralized Identity

Decentralized identity allows individuals to control their own data and solves the privacy and security issues that undermine current models for handling identity online. This privacy-preserving model for identity, where everyone controls their own information, makes it easy for companies and organizations to comply with data privacy laws, makes business partner integrations more secure, and does away with the need for third-parties to manage and hold personally identifiable information (PII).

It is important to note that as part of Indicio’s governance, no personal data, such as names, addresses, or birth dates, are written to any of the Indicio Network ledgers. Instead, machine-readable cryptographic information identifies the issuer of the credential and the details that demonstrate the credential is authentic. With just a few writes to the Indicio MainNet, millions of credentials can be issued, all pointing to the same few ledger writes making the system easily scalable.

How to use the Indicio MainNet

Anyone using technology to verify a verifiable credential that is presented to them may access the Indicio MainNet for free. Several wallets currently in production now point to the Indicio Network, enabling credentials to be issued on, and read from, the Indicio Network.

Global innovators interested in becoming part of the Indicio Network are welcome to become an Indicio Node Operator. This diverse, supportive, and collaborative network of dynamic companies, work together to support a copy of the ledger while helping to advance decentralized identity. Learn more about the other benefits of becoming a Node Operator.

Subscribe to our free newsletter
Follow us on Twitter
Join us on LinkedIn

Related:

  • No Related Posts

Ethereum Classic (ETC) Cooperative on Hyperledger Besu now supporting Keccak-256 Mining

ETC Cooperative expressed, we’re thrilled to report that Hyperledger Besu now supports Keccak-256 mining. This major milestone only marks the beginning of SHA3 + ETC.

Implemented: – reliable Keccak mining – new ecip1049_dev network – needed specs + dev network for ecip1049 prep.

For those who do not want technical explanations, it is enough to understand that Keccak is an algorithm used for mining in Ethereum Classic. And, that now, it is expected that the number of Hyperledger Besu clients on the ETC mainnet would grow rapidly because of the convenience provided by Keccak in the mining process.

For more clarity, Hyperledger Besu is an Ethereum client designed to be enterprise-friendly for both public and private permissioned network use cases. It can also be ran on test networks such as Rinkeby, Ropsten, and Görli.

Enterprise, refers to the ability to create new projects or new businesses and make them successful.

“Sha-3” in Ethereum refers to “Keccak-256”. Keccak-256 is an online hash function. Keccak (a form of SHA-3) is a relatively older algorithm that recently made a comeback on Nice Hash in terms of profitability.

For more clarity, keccak256 (bytes memory) returns (bytes32) − computes the Keccak-256 hash of the input. The function parameters correspond to ECDSA values of the signature: r – first 32 bytes of signature; s: second 32 bytes of signature; v: final 1 byte of signature. This method returns an address.

KeccaK-256 has an elegant design and clarity of construction with the ability to run well on different computing devices with higher performance in hardware than Sha-2, thus providing insurance if Sha-2 is ever broken.

Keccak-256 is far faster than Ethash and it is simply a hashing algorithm which does not need hardware to have immense memory requirements or a dag which needs to be exploited.

Also, the good thing is that CPUs, FPGAs, ASICs, and GPUs can mine on Keccak-256. Also, it is very possible for the mining ecosystem to mature to be at par with Bitcoin where mining is dominated by purpose-built hardware.

Thus, it contributes to enhanced security and productivity as it is well documented and open-source hardware designs are available.

Also, the mainstream semiconductor companies which build chips are tested versus the Sha family of algorithms. The Sha-3 computing runs best on embedded systems. Also, there is reduced risk of non-compliance as it provides a standardized cryptographic hash function and therefore reducing the risk of non-compliance because Keccak-256 (Sha-3) has gained the trust of government organizations

Advertisement

Advertisement
Post Views: 32