Archive | November, 2011

WatchGuard Announces Fireware XTM and WSM v11.5.1

November 29, 2011 by Corey Nachreiner 14 Comments

Available for All XTM Appliances

WatchGuard is excited to announce the release of Fireware XTM v11.5.1 and WatchGuard System Manager (WSM) v11.5.1, the latest security operating system for our award-winning XTM appliance line. You can install Fireware XTM OS v11.5.1 on any WatchGuard XTM device, including 2 Series, the new XTM 330, 5 Series, 8 Series, XTM 1050, and XTM 2050 appliances.

Fireware XTM and WSM v11.5.1 marks the first 11.5.x release of our software, and delivers many valuable new capabilities and enhanced features to our already feature-rich XTM products. Though primarily a feature release, v11.5.1 also demonstrates WatchGuard’s continuing commitment to quality with a significant number of bug fixes.

We highlight just a few Fireware XTM v11.5.1’s new features below:

  • A newly designed Log and Report Manager Web UI – We have updated our already information-rich logging and reporting UI to make it dramatically faster and easier to use. It now offers drill-down capabilities on users, applications, URLs visited, and more, as well as pivot capabilities that allow you to find the information you need much faster than before. Some other logging and reporting related updates include:
    • UTC log time stamping, which allows you to always know what time logs arrived, regardless of which time zone your XTM appliance and log server resides in.
    • Report integration with ConnectWise, which allows ConnectWise administrators to automate WatchGuard XTM report creation and delivery to their customers.
  • Mobile VPN with IPSec support for Apple® iOS devices – We have updated our XTM IPSec gateway to allow iPhones, iPads, and iPods to make secure connections to your XTM appliance using Apple’s built-in IPSec client. This update also allows OS X Lion Macs to connect using Lion’s built-in IPSec client as well.
  • Mobile VPN with SSL support 64-bit Mac clients – Our Mac SSL client now supports 64-bit OS X installations.
  • IPv6 Routing Support – Your XTM appliance can now receive an IPv6 address, use IPv6 DNS/WINS servers, create static IPv6 routes, and support SLAAC router advertisement. 11.5.1 has achieved IPv6ready.org Gold logo for routing, confirming that the basic “plumbing” — the packet routing building blocks of IPv6 — works correctly. It’s important to note that v11.5.1 does not yet support IPv6 firewall policies, which will come in a later release.
  • Improved Dynamic Routing support – We have updated and improved our Dynamic Routing engine, and it now supports Dynamic Routing in FireCluster configurations as well.
  • SMTP Proxy enhancements to support TLS encryption – Our SMTP proxy now supports and enforces TLS encrypted user authentication and end-to-end message body encryption.
  • Clientless Single Sign-On (SSO) – Fireware XTM v11.5.1 delivers improved SSO accuracy without the need to install SSO client software on all your computers.
  • FIPS Support – XTM devices now meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner.

In addition to the features and enhancements listed above, 11.5.1 also includes numerous smaller enhancements and many bug fixes in different areas of Fireware and WSM.

If you’re an active LiveSecurity subscriber, you can upgrade to Fireware XTM v11.5.1 free of charge. You can install Fireware XTM v11.5.1 software on any WatchGuard XTM device. Although WatchGuard System Manager v11.5.1 has been designed to manage devices running earlier versions of Fireware XTM v11, it is not possible to install Fireware XTM v11.5.1 on WatchGuard e-Series appliances.

For more information about the feature enhancements included in Fireware XTM v11.5.1, see the Release Notes or What’s New in Fireware XTM v11.5.1.

Does This Release Pertain to Me?

Fireware XTM 11.5.1 is a feature release that also includes many bug fixes. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.5.1. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Fireware XTM 11.5.1 is an XTM Series only release, and does not work on e-Series appliances. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, , , , , ,

WatchGuard Fireware XTM 11.4.2 Available for XTM Appliances

November 16, 2011 by Corey Nachreiner 1 Comment

For XTM 2, 5, 8, and XTM 1050 Appliances, and WSM

In August, WatchGuard posted Fireware XTM v11.4.2 to the Articles and Downloads section of our Support web page. At the time, we also performed some website and infrastructure changes that prevented us from emailing the 11.4.2 Software Announcement to our qualified customers. To make sure all our customers know about this exciting new update, we are re-posting the original Fireware XTM 11.4.2 announcement here.

Dear WatchGuard Customer,

WatchGuard is excited to release Fireware XTM v11.4.2. Fireware XTM v11.4.2 demonstrates our continuing commitment to quality to WatchGuard customers, with a significant number of bug fixes and enhancements, including:

  • Firewall policies can now be applied to intra-VLAN traffic
  • Branch office VPN tunnels now work with External Wireless interfaces
  • Support for multiple Mobile VPN with SSL policies for different users/groups from Policy Manager
  • Other numerous bug fixes and stability enhancements.

In addition to the features and enhancements listed above, 11.4.2 includes numerous smaller enhancements and bug fixes in many different areas of Fireware and WSM.

If you’re an active LiveSecurity subscriber, you can upgrade to Fireware XTM 11.4.2 free of charge. You can install Fireware XTM OS v11.4.2 software on any WatchGuard XTM device, including 2 Series, 5 Series, 8 Series, and the XTM 1050. Although WatchGuard System Manager/Policy Manager v11.4.2 has been designed to manage Fireware XTM v11.3 and Fireware XTM v11.4 devices seamlessly, it is not possible to install Fireware XTM OS v11.4.x on WatchGuard e-Series appliances.

For more information about the feature enhancements included in Fireware XTM v11.4.2, see What’s New in Fireware XTM v11.4.2.

Does This Release Pertain to Me?

Fireware XTM v11.4.2 is a feature release that also includes many bug fixes. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.4.2. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles and Downloads section of our Support web pages, which also includes clear installation instructions. Fireware XTM v11.4.2 is an XTM Series only release. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, ,

Duqu Malware Leverages a Zero Day Windows Kernel Flaw

November 8, 2011 by Corey Nachreiner 6 Comments

Over the past year, I spoken a lot about Advanced Persistent Threats (APT), like Stuxnet, at presentations I’ve given around the world. In fact, one of my security predictions for this year concerned the increase in APTs (both as a true threat, and an overused term). If you’ve paid attention to security news over the past few weeks, you’ve probably read about a new piece of malware that fits the APT category, called Duqu.

In a nutshell, Duqu is the successor to Stuxnet. It shares much of the same source code and seems to come from the same authors. According to Symantec, Duqu seems to be targeting governmental entities, system manufacturers, and the industrial infrastructure industry to gather intelligence data and assets, such as design documents. Experts suspect Duqu’s authors plan to use this intelligence to further future attacks. If you’d like to learn more about Duqu (it’s definitely interesting), see my reference links below. However, today I’d like to focus on the most recent Duqu related development; the discovery of a zero day Windows kernel vulnerability in the Duqu installer.

According to Symantec, CrySys (a group that originally discovered Duqu) recently recovered the actual installer for the Duqu malware. They learned that the installer file is a Word document that leverages a previously unknown zero day Windows kernel vulnerability to install the malware onto a victim system. Symantec and CrySyS shared this information with Microsoft, and Microsoft has already released an early Security Advisory reacting to the issue. According to Microsoft, the zero day vulnerability involves a flaw in the way the Windows Kernel-mode driver parses TrueType fonts. This may sound surprisingly similar to the Kernel-mode TrueType-related Denial of Service (DoS) vulnerability Microsoft fixed today, but it’s actually a completely separate issue. Microsoft still has not release a patch for this serious zero day vulnerability, but they are working on one now.

Microsoft has suggested a workaround that could mitigate the risk of this zero day flaw. In Windows, you can prevent access to the a specific DLL ( t2embed.dll). Keep in mind, doing this actually breaks applications that rely on embedded fonts, causing them to not display certain content properly. However, it also prevents the Duqu installer from working. If you’re especially concerned about Duqu, you may want to apply the FixIT workaround Microsoft posted in this Knowledge Base article.

That said, there may be a few easier ways to help keep Duqu out of your network:

  • Use up-to-date antivirus (AV): AV companies now have some samples of Duqu, so they also have signatures to prevent some strains of this malware. That said, APT authors use the most advanced attack techniques, and often repack or re-encrypt their malware, which sometimes allows it to evade AV. Unfortunately, you can’t totally rely on traditional AV with APT threats.
  • Inform your users of suspicious Word documents: A simple way to avoid Duqu is to inform your users of the threat, and warn them not to interact with unsolicited Word documents.

The LiveSecurity team will continue to follow Duqu developments, and will inform you of any new developments, including when Microsoft releases a patch for the zero day Kernel flaw. — Corey Nachreiner, CISSP (@SecAdept)

References:

 

 

 

Security Updates
, ,

Four Windows Bulletins: Critical TCP/IP Vulnerability Allows Remote Root

November 8, 2011 by Corey Nachreiner 3 Comments

Bulletins Affect TCP/IP, Active Directory,  Windows Mail, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (though most only affect more recent versions of Windows)
  • How an attacker exploits them: Multiple vectors of attack including sending specially crafted packets, or enticing users into opening booby-trapped files
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing four vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees, with most of this month’s bulletins affecting Windows Vista, 7, and Server 2008. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-083: TCP/IP Remote Code Execution Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an integer overflow flaw involving its inability to properly parse a continuous flow of specially crafted UDP packets. By sending such packets, an attacker could leverage this flaw to gain complete control of your Windows computer. This flaw only affects Windows Vista, 7, and the Server 2008 versions of Windows. That said, this is a seriously vulnerability, and we recommend you patch it immediately.
Microsoft rating: Critical

  • MS11-085: Windows Mail and Meeting Space Insecure Library Loading Vulnerability

Windows Mail is the default email client that ships with Windows and Meeting Space is a built in document and desktop sharing application.  Unfortunately, both these components suffers from the insecure Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by files types associated with Mail and Meeting Space–specifically .EML and .WCINV files. 
Microsoft rating: Important.

  • MS11-086: Active Directory Elevation of Privilege Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. Among its many options, AD allows you to authentication using certificates. AD suffers from a certificate handling vulnerability when configured to use LDAP over SSL (LDAPS). In short, AD doesn’t properly recognize revoked SSL certificates, which means an attacker can use a revoked certificate to authenticate and possibly gain access to your systems. However, the attacker would first have to somehow gain access to the revoked certificate for a valid account on your domain to leverage this flaw, which significantly mitigates its severity. If an attacker has access to valid account certificates, revoked or not, you already have a serious problem on your hands.
Microsoft rating: Important.

  • MS11-084: Kernel-mode Driver Denial of  Service Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted TrueType font files. By enticing one of your users to open a specially crafted font file, or to browse to a share hosting such a file, an attacker could exploit this flaw to cause your system to stop responding, until you restart it. This flaw only affects Windows 7 and Server 2008 R2.
Microsoft rating: Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-083:

MS11-085:

* Server Core installations not affected: If you chose the “Server Core” installation option, Windows does not install unnecessary client applications, such as Mail or Meeting Space.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , , , , ,

Microsoft Black Tuesday: Windows Bulletins Primarily Affect Recent Versions

November 8, 2011 by Corey Nachreiner 1 Comment

As expected, today’s Patch Day has a Windows theme, since all of Microsoft’s security bulletins affect Windows or components that ship with it. More importantly, most of the updates primarily affect modern versions of Windows, such as Windows Vista, 7, or Server 2008; only one of the Important bulletins affect older versions of Windows.

A remote code execution flaw in the Windows TCP/IP stack is, by far, the worst flaw this batch of security updates fixes. By sending a stream of specially crafted UDP packets, an attacker could exploit this flaw to gain complete control of a Windows Vista, 7, or Server 2008 computer. UDP packets on any port would work. If you allow any UDP packets through your firewall, attackers could leverage this flaw to pop your computer. I highly recommend you apply Microsoft’s Windows updates as soon as you can, especially if you run a more recent version of Windows.

You can learn more about today’s updates in Microsoft’s November summary bulletin. As is normally the case with Microsoft updates, you should probably test the patches before deploying them in your production network — especially the ones that affect server software.

I’ll post the more detail, consolidated Windows alert here, shortly. Stay tuned. – Corey Nachreiner, CISSP

Security Updates
, , , , , , ,

November Patch Day to Deliver Four Windows Updates

November 3, 2011 by Corey Nachreiner 0 Comments

Another month has quickly snuck by this year, which means another Microsoft Patch Day will soon be upon us.

According to their Advanced Notification post for November, Microsoft plans to release four security bulletins next Tuesday, all of them affecting Windows (and components that ship with it). They rate one update as Critical, two as Important, and the remaining one as Moderate. The updates fix the same number of vulnerabilities (specifically four flaws), and will require Windows reboots to complete.

Obviously, you should always try to apply Critical updates as soon as you can, since they tend to fix vulnerabilities that allow attackers to gain full control of your computer with little to no user interaction. I’ll know more about these bulletins on Tuesday, November 8 and will post details about them here. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,