TufinOS

Tufin has released a Security Announcement regarding "Dirty COW" (CVE-2016-5195)

Background:

A race condition has been found in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings, and thus increase their privileges on the system.

Vulnerable Systems:

All versions of TufinOS are affected: TufinOS 1.8 - 1.22 as well as 2.00 - 2.12
Installations using Red Hat Enterprise Linux and CentOS are affected also. Please find a patch on the website of the Linux distribution itself.

Remediation:

Tufin will publish a fix for TufinOS 2.12 on November, 2nd. A fix for TufinOS 1.22 will be published after Red Hat has published a fix for RHEL 5.
If you are not running the latest version of TufinOS, you should upgrade to be able to install the fix.

 

Update (20161102):

The fix for TufinOS 2.x is included in TufinOS 2.13 which is available since November, 1st.
A patch for TufinOS 2.12 will be released on November, 6th. This is relevant if an update to TufinOS 2.13 isn't possilble.

Update (20161104):

The fix for TufinOS 1.x is included in TufinOS 1.23 which is available since November, 4th. An upgrade to this version is recommended if still TufinOS 1.x is used.
Please be aware that TufinOS 1.x reaches its End of Live (EOL) on March 31st, 2017 - as CentOS 5 does. After this date, no updates or security patches will be created for TufinOS 1.x, so upgrading to TufinOS 2.x before this date is recommended.

 

 

 

Since TufinOS is a Linux working with networks, these settings need to be configured for the management interface. One way to do so is using the "traditional" way by editing files like e.g.

/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0

etc. This is not always the easiest way, esp. if an administrator isn't too familiar with Linux. An easier way is to use a command of TufinOS:

/usr/local/sbin/config_mgmt_if

Since this directory is mostly in the environment path, the command can be used also as a single command without typing the whole path:

config_mgmt_if

This command asks the administrator for all important settings to configure the management interface of the system, as shown in the example below
(Please use YOUR IP-ADDRESSES ONLY for lab and productive environment). It also restarts the network service so the changes become active.

[root@TufinOS ~]# config_mgmt_if
Please enter the network details for the TOS management interface (eth0).
IP address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
IP address for DNS server 1, or press ENTER to continue: 192.168.1.253
IP address for DNS server 2, or press ENTER to continue: 192.168.2.253
IP address for DNS server 3, or press ENTER to continue:
Do you want to configure IPv6 (yes|no)?: no

Network settings for TOS management interface
=============================================

(1) IP address:           192.168.1.1
(2) Netmask:              255.255.255.0
(3) Gateway IP:           192.168.1.254
(4) DNS Servers:          192.168.1.253, 192.168.2.253

To change the settings, enter the item number to change.
Enter c to apply the changes and continue, or enter e to exit
> c
Warning: The current network settings for the eth0 adapter will be overridden.
Are you sure you want to continue (yes|no)?: yes
Configuring eth0 settings...
Restarting network service...
Done.
[root@TufinOS ~]#

 So this command might help to configure the management interface of TufinOS.

 

 

 

Problem

On May 3rd, the OpenSSL project team has announced the release of OpenSSL v1.0.2h and 1.0.1t, respectively. This version addresses some vulnerabilities.
One of the most severe is the OpenSSL Memory Corruption Vulnerability (CVE-2016-2108) which  also affects TufinOS (as many other Linux).

Solution

If you run Tufin TOS under Red Hat Enterprise Linux or CentOS, please download updated packages and install them on your system.
Tufin is working on a patch for the OpenSSL Memory Corruption Vulnerability. patches for TufinOS 2.11 and TufinOS 1.22 are scheduled for the week of May 16th. So next week an update will be possible. If you don't run the latest version, an upgrade might be necessary before installing the patch.
Further information will be provided by This email address is being protected from spambots. You need JavaScript enabled to view it.upon request.

 

19.05.2016 - Update:
The patch for TufinOS 2.11 is available now: https://portal.tufin.com/Doc/Default.aspx?id=1208 (Authentication necessary)
For TufinOS 1.22 the patch will be published after Red Hat has published a patch for RHEL 5. 

 

 

Please update your TufinOS

Google Security has found a vulnerability in glibc, a commonly used library:
https://googleonlinesecurity.blogspot.co.il/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library.

Tufin points out, that a patch is needed for TufinOS 2.10:

  •     TufinOS 1.x isn't vulnerable
  •     TufinOS 2.x is vulnerablle

Tufin has published a patch for TufinOS 2.10:
https://portal.tufin.com/Doc/Default.aspx?id=1169

Please install this patch. If necessary, carry out an update before so the patch can be installed.

 

 

Page 4 of 4