www.tufin.club

Tufin points out that a vulnerability has been found in Tufin SecureTrack.

It's a XXE (XML External Entity) vulnerability described in Top 10-2017 A4-XML External Entities (XXE) which alows attackers to exploit vulnerable XML processors. They can upload XML or include hostile content in a XML document.

Tufin has provided a first fix to address this issue:

TOS 17-3 HF 4.1

For these versions fixes will be available and included, respectively:

TOS 18-1 HF 3  - scheduled to be published on September 5th, 2018

TOS 18-2 GA - Fix will be included in GA scheduled for release on August 22nd, 2018

Due to Tufin's policy regarding earlier versions no fix will be published for them. So if you use an older version, please do an upgrade to a supported version.

 

 

 

 

Sometimes the question arises if Access Requests can consider NAT Rules also

Option 1:
End users opening an Access Request ticket are mostly not interested if NAT is necessary for ther request or not. In most cases they even won't know if NAT is neccessary. So in this case the question if NAT should be considered in the ticket is not that important.

Option 2:
An administrator knows that NAT is needed and tries to configure it in the ticket. This is possible:

Opening the object browser allows to provide IP addresses and NAT addresses

This results in a specific entry for Destination:

So everything seems ok, BUT this needs to be considered:

  • Risk Analysis doesn't use NAT information
  • Designer doesn't use NAT information
  • Verifier doesn't use NAT information

Due to these facts, it's not really recommended to use NAT in Access Request tickets.

 

 

 

 

 

 

 

AERAsec is proud to announce that we are one of the worldwide first three Tufin Service Delivery Partners (SDP) and currently the only one in Central Europe

https://tcw-8egzwiavysvuu1nzct.netdna-ssl.com/sites/default/files/service-delivery-partner_0.png

Tufin has announced that a new partner program is launched in June 2018. The Service Delivery Partner Program enables partner to be more service-ready.

AERAsec has a wide experience from many projects helping customers to get their values by the Tufin Orchetration Suite. The way of working closely together with Tufin Technologies will be continued in an even more intense way. So customers will have additional value not only from experience, but also from a more intense cooperation between AERAsec and Tufin. Customers purchasing Tufin products from AERAsec will have an additional advantage because of special conditions regarding these services.

Please This email address is being protected from spambots. You need JavaScript enabled to view it. if you want to know more about AERAsec delivering Tufin Products and Services.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a new vulnerability has been found.

An industry-wide issue has been found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
See more details here: Speculative Store Bypass and Rogue System Register Read.

This issue will be addressed in TufinOS 2.17 and not by a patch for 2.16. The reasons are a local attack vector and a high attack complexity. The second flaw is rated with a low base score.

So in Tufin 2.17 these issues are addressed. This version is planned for August 2018.
The release of this version will be published by Tufin - and here in this Blog.

 

 

 

In Red Hat Enterprise Linux (and therefore also in CentOS as well as TufinOS) a command injection flaw has been found in the NetworkManager integration script included in the DHCP Client packages.
It allows attackers spoofing responses of a DHCP Server to execute arbitrary commands with the privileges of root on vulnerable systems using NetworkManager and configured to obtain network configuration via DHCP.
Further information can be found at Red Hat under CVE-2018-1111 as well as at Tufin.

Since TufinOS 1.x isn't supported any more, no fix will be published.
In TufinOS 2.x this issue is addressed in TufinOS 2.16. Since this is the current version from now, the upgrade should also be done if no DHCP Client packages are used.

Please be aware that when using TOS in HA configuration, starting with TufinOS 2.16 the upgrade can be done in an easier way as before.

 

 

 

Tufin has released the first version of the Tufin Orchestration Suite in 2018: R18-1. TOS 18-1 is available as GA now, delivering some improvements, e.g.

Cloud

  • SecureTrack
    Support of AWS AssumeRole as part of the AWS Security Token Service
  • SecureTrack
    Support of the latest Microsoft Azure SDK 1.2.0

Security Policy Change Automation and Orchestration

  • SecureTrack, SecureChange
    Rule Recertification Automation by a specific workflow
  • SecureTrack, SecureChange
    Cisco Firepower Automation (including Target Suggestion, Risk Analysis, Designer and Verifier)
  • SecureChange
    New Workflow Customization Triggers (e.g. when Automatic Step fails, Pre-Assignment Script)
  • SecureChange
    Enhancements for Manual Target Selection
  • SecureTrack, SecureChange
    Stealth Rule is considered now by Designer

Security, Risk, and Compliance

  • SecureTrack
    Automatic Policy Generator (APG) for Palo Alto Panorama and Fortinet FortiManager

Devices and Platforms

  • SecureTrack
    Dynamic Routing Support for Palo Alto and Fortinet
  • SecureTrack, SecureChange
    Extended Generic NAT for Palo Alto
  • SecureTrack, SecureChange
    Topology Support for Cisco Firepower
  • Support of new devices
    • Fortinet FortiManager 5.4.4
    • Fortinet FortiGate 5.2.11
    • F5 13.0
    • Cisco Security Manager 4.15
    • Cisco Firepower 6.2.3
    • Microsoft Azure SDK 1.2.0

REST API

  • Improvements for SecureTrack
    • Parameter show_members for Network Object APIs
    • Network Topology APIs for NSX
    • Retrieve Total Available Records
    • Offline Device APIs
  • Improvements for SecureChange
    • new Tickets API - Confirm

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com