In September 2019 Tufin has released TufinOS 2.19. This version is available for download now in the Tufin Portal (authentication required). TufinOS 2.19 is available as upgrade package only. So if you need to set up a new system, installing TufinOS 2.18 from ISO or USB is necessary befor upgrading to 2.19.

New features and updates of TufinOS 2.19 are:

  • Update of 29 RPMs based on the latest version of CentOS 6.10
  • Update of PostgreSQL to version 9.4.23

Please be aware that only TufinOS 2.19 is supported by Tufin now, i.e. older versions will also get no security related updates.

An updated description how to upgrade TufinOS in HA environments is available in the Tufin Portal.

 

 

 

Starting with April 2019, Tufin has published TufinOS 2.18. This version is available for download now in the Tufin Portal.
If you start a new installation, you don't need to install and upgrade TufinOS 2.15 anymore, since TufinOS 2.18 is available for clean installation (ISO or Appliance) also.

New features and updates of TufinOS 2.18 are:

  • 28 RPMs are updated to version CentOS 6.10, which is the latest version
  • Microsemi Adaptec ARCCONF Command Line Utility version 3.01.23531
  • PostgreSQL version 9.4.21-1PGDG.rhel6
  • sTunnel version 5.50
  • PAM Radius version 4.0

An updated description how to upgrade TufinOS in HA environments is available in the Tufin Portal.

 

 

 

TufinOS is based on Linux. Here a flaw called SegmentSmack has been found. Due to the handling of special TCP Packets a Denial-of-Service (DoS) can be triggered remotely. To maintain a DoS condition, continouos two-way TCP sessions to a reachable port are required.

So if your device running TufinOS isn't reachable from untrusted sources or protected by a firewall, the risk of a DoS isn't too high. But an upgrade should be installed when availalble.

Tufin points out that all versions of TufinOS are affected (TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.16).
Update 30.08.2018: A patch is integrated in TufinOS 2.17 which is available now for Download.
If you are still using TufinOS 1.x please upgrade since this version isn't supported any more by Tufin.

 

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a new vulnerability has been found.

An industry-wide issue has been found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
See more details here: Speculative Store Bypass and Rogue System Register Read.

This issue will be addressed in TufinOS 2.17 and not by a patch for 2.16. The reasons are a local attack vector and a high attack complexity. The second flaw is rated with a low base score.

So in Tufin 2.17 these issues are addressed. This version is planned for August 2018.
The release of this version will be published by Tufin - and here in this Blog.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a command injection flaw has been found in the NetworkManager integration script included in the DHCP Client packages.
It allows attackers spoofing responses of a DHCP Server to execute arbitrary commands with the privileges of root on vulnerable systems using NetworkManager and configured to obtain network configuration via DHCP.
Further information can be found at Red Hat under CVE-2018-1111 as well as at Tufin.

Since TufinOS 1.x isn't supported any more, no fix will be published.
In TufinOS 2.x this issue is addressed in TufinOS 2.16. Since this is the current version from now, the upgrade should also be done if no DHCP Client packages are used.

Please be aware that when using TOS in HA configuration, starting with TufinOS 2.16 the upgrade can be done in an easier way as before.

 

 

 

As many administrators know, there is an option Suite Administration when configuring TOS using tos conf. Activating this option allows to monitor the system.

If (3) is selected and therefore the Suite Administration activated, it needs to be configured. This is done by the command

[root@TufinOS]# configure_os_monitoring

A menu opens and allows to configure the necessary options:

 

  • Recipient Settings

    Configure Recipients here who will get an E-Mail when Suite Administration is sending an alert.
    1. Show defined recipients
    2. Add recipient
    3. Delete recipient
    4. Modify recipient

 

  • SMTP Settings

    This section is to configure the Mail server for sending E-Mail to recipients in case of an alert. Besides this, authentication data for the Mail server needed to send E-Mail can be configured.
    1. Server Name
    2. Server Port
    3. User Name
    4. User Password
    5. Sender Email
    6. Mail Sending Interval

 

  • SNMP Settings

    TufinOS will send SNMP Traps when an alert condition is given. In this section the server, port etc. need to be configured if Traps are wanted. The support of addtional SNMP MIBs can be configured by adapting the file /etc/snmp/snmpd.conf and restarting the snmpd. 
    1. Manager IPv4 Address
    2. Manager Port
    3. Community Name
    4. Trap Sending Interval

 

  • Threshold Settings
       
    Configure Thresholds here. Please be aware that the default for CPU usage is 10%, i.e. if there is a little load on the machine, an alert will be sent.
    The options for JMS Tunnel and Stunnel are needed only, if the server is used in an HA deployment or the Central Server is in an environment using Distriubted Architecture (DA).
    1. CPU Usage (default: 10%!)
    2. Memory Usage (default 70%)
    3. Disk Usage (default 70%)
    4. Service Settings
      1. Application Server   
      2. Cron
      3. Database
      4. JMS Tunnel
      5. Stunnel
      6. Syslog
      7. Web Server

 

So these options might allow a tighter control and monitoring TufinOS as well as the services running on this machine.