In February 2020 Tufin has released TufinOS 2.21. This version is available for download now in the Tufin Portal (authentication required). TufinOS 2.21 is available as upgrade package only (tufinos-update-2.21-1395.run.tgz). So if you need to set up a new system, installing TufinOS 2.18 from ISO or USB is necessary before upgrading to 2.21.

New features and updates of TufinOS 2.21 are (e.g.):

 

  • PostgreSQL 11 (11.6-1PGDG.rhel6) has been added
  • ncdu and tmux rpms from EPEL have been added
  • Updated RAID driver for ASR-8805 to version 1.2.1.58012 (GEN-3.5)
  • Updated Microsemi Adaptec ARCCONF Command Line Utility to version 3.03.23668 (GEN-3.5)
  • Updated PostgreSQL 9.4 to version 9.4.25-1PGDG.rhel6
  • Updated PHP to version 5.6.40-1.w6
  • Additionally 35 RPMs based on the latest version of CentOS 2.19 have been updated

 

Please be aware that only TufinOS 2.19 and 2.21 are supported by Tufin now, i.e. older versions will also get no security related updates.
Additional information about Security Fixes included in TufinOS 2.21 is available. When hardeing TufinOS please regard hints given by Tufin.

 

Important hint:
Be sure that your TOS version is compatible with the new release of PostgreSQL! You should check it in Tufin Knowledge Center before trying to upgrade.

 

 

 

In September 2019 Tufin has released TufinOS 2.19. This version is available for download now in the Tufin Portal (authentication required). TufinOS 2.19 is available as upgrade package only. So if you need to set up a new system, installing TufinOS 2.18 from ISO or USB is necessary befor upgrading to 2.19.

New features and updates of TufinOS 2.19 are:

  • Update of 29 RPMs based on the latest version of CentOS 6.10
  • Update of PostgreSQL to version 9.4.23

Please be aware that only TufinOS 2.19 is supported by Tufin now, i.e. older versions will also get no security related updates.

An updated description how to upgrade TufinOS in HA environments is available in the Tufin Portal.

 

 

 

Starting with April 2019, Tufin has published TufinOS 2.18. This version is available for download now in the Tufin Portal.
If you start a new installation, you don't need to install and upgrade TufinOS 2.15 anymore, since TufinOS 2.18 is available for clean installation (ISO or Appliance) also.

New features and updates of TufinOS 2.18 are:

  • 28 RPMs are updated to version CentOS 6.10, which is the latest version
  • Microsemi Adaptec ARCCONF Command Line Utility version 3.01.23531
  • PostgreSQL version 9.4.21-1PGDG.rhel6
  • sTunnel version 5.50
  • PAM Radius version 4.0

An updated description how to upgrade TufinOS in HA environments is available in the Tufin Portal.

 

 

 

TufinOS is based on Linux. Here a flaw called SegmentSmack has been found. Due to the handling of special TCP Packets a Denial-of-Service (DoS) can be triggered remotely. To maintain a DoS condition, continouos two-way TCP sessions to a reachable port are required.

So if your device running TufinOS isn't reachable from untrusted sources or protected by a firewall, the risk of a DoS isn't too high. But an upgrade should be installed when availalble.

Tufin points out that all versions of TufinOS are affected (TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.16).
Update 30.08.2018: A patch is integrated in TufinOS 2.17 which is available now for Download.
If you are still using TufinOS 1.x please upgrade since this version isn't supported any more by Tufin.

 

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a new vulnerability has been found.

An industry-wide issue has been found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
See more details here: Speculative Store Bypass and Rogue System Register Read.

This issue will be addressed in TufinOS 2.17 and not by a patch for 2.16. The reasons are a local attack vector and a high attack complexity. The second flaw is rated with a low base score.

So in Tufin 2.17 these issues are addressed. This version is planned for August 2018.
The release of this version will be published by Tufin - and here in this Blog.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a command injection flaw has been found in the NetworkManager integration script included in the DHCP Client packages.
It allows attackers spoofing responses of a DHCP Server to execute arbitrary commands with the privileges of root on vulnerable systems using NetworkManager and configured to obtain network configuration via DHCP.
Further information can be found at Red Hat under CVE-2018-1111 as well as at Tufin.

Since TufinOS 1.x isn't supported any more, no fix will be published.
In TufinOS 2.x this issue is addressed in TufinOS 2.16. Since this is the current version from now, the upgrade should also be done if no DHCP Client packages are used.

Please be aware that when using TOS in HA configuration, starting with TufinOS 2.16 the upgrade can be done in an easier way as before.