Top Middle East Cyber Threats- 28 January 2019
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Are you Ready for DNS Flag Day?
On or around the 1st of February, significant changes will be made by a large number of Domain Name System (DNS) and internet service providers, as major open source resolver vendors will release updates that implement stricter Extension mechanisms for DNS (EDNS) handling. “Stricter handling” means, most software that run DNS for the Internet will make no attempt to disable EDNS when they receive a query timeout. It means all servers that don’t respond correctly to EDNS queries will be treated as DEAD. This change will affect sites operating non-compliant software and means your sites could potentially be unavailable to a lot of users if you don’t get this fixed.
This “day” is being referred to as DNS Flag Day since many changes will occur on or around this specific day across the world. Whilst this is not a cyber-attack, it is true that post the 1st of Feb, users are likely to experience significant issues or problems, akin to denial of service attacks.
All internet users and systems generally rely on DNS, and significant changes to DNS present a threat/risk. Anyone who is using Juniper or F5 products- specifically BIG- IP DNS or GTM may be impacted due to the configuration or version of their devices – these versions or configurations may not enforce strict EDNS compliance, and therefore will introduce problems post-DNS Flag Day.
Remediation:
Please use the table below to verify the F5 BIG-IP TMOS version you are using and confirm whether it is EDNS RFC compliant or non-compliant. If you are running a version listed in the versions known to be EDNS RFC non-compliant, you can achieve EDNS RFC compliance by upgrading to a version listed in the EDNS RFC compliance fixes introduced in the column. However, for more information, we recommend you contact F5 Networks.
| Product | Branch | Versions known to be EDNS RFC non-compliant | EDNS RFC-compliant fixes introduced in | EDNS RFC non-compliant features |
| BIG-IP (DNS, GTM) | 14.x | 14.0.0 – 14.1.0 | 14.0.0.4 | GSLB/Local BIND* |
| 13.x | 13.0.0 – 13.1.1.3 | None | DNS Express | |
| 12.x | 12.1.0 – 12.1.3.7 | 12.1.4 | DNS Cache | |
| 11.x | 11.5.1 – 11.6.3.3 | 11.6.3.4 | FPGA Hardware accelerated Cache | |
| 11.5.8 | ||||
| BIG-IP (AAM, AFM, Analytics, APM, ASM, Edge Gateway, FPS, Link Controller, LTM, PEM, WebAccelerator) | 14.x | None | Not applicable | None |
| 13.x | None | Not applicable | ||
| 12.x | None | Not applicable | ||
| 11.x | None | Not applicable | ||
| Enterprise Manager | 3.x | None | Not applicable | None |
| BIG-IQ Centralized Management | 6.x | None | Not applicable | None |
| 5.x | None | Not applicable | ||
| F5 iWorkflow | 2.x | None | Not applicable | None |
| Traffix SDC | 5.x | None | Not applicable | None |
2) Laying the Seed for Cyber Espionage
Cisco recently patched several security vulnerabilities in some of their products. While most of these vulnerabilities had a medium severity level, some of these are prioritized as critical. Of those critical, two flaws exists in the Cisco Email Security Appliance (ESA) and exploiting these bugs/vulnerabilities could trigger a permanent denial of service (DoS) loop.
Cisco ESA Memory Corruption Denial of Service Vulnerability
This vulnerability exists in the Cisco AsyncOS, a software used for the Cisco ESA. This affects the S/MIME feature of the software that enables an attacker for a remote attack. To exploit this bug, the attacker merely has to send a malicious email to the target device. The targeted device would eventually end up crashing due to a permanent DoS state after repeated attempts of processing this malicious S/MIME-signed email.
At present, Cisco has confirmed the inexistence of any effective workarounds to mitigate this flaw. Thus, it is recommended that users ensure that they have updated their systems at the earliest to protect themselves from such potential incidents.
Cisco ESA URL Filtering Denial of Service Vulnerability
This defect also exists in the Cisco AsyncOS Software and exploiting this bug would allow an attacker to substantially increase the targeted machine’s memory usage, eventually leading to a DoS state.
This vulnerability occurs due to improper filtering of email messages that contain references to whitelisted URLs. An attacker can exploit this vulnerability by sending out a malicious email message that contains a large number of whitelisted URLs. A successful exploit for the same would allow the attacker to cause a sustained DoS condition that can force the affected device to stop scanning and forwarding email messages
This bug affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA (both virtual and hardware), if the URL Filtering as Global Setting feature is enabled and if the URL whitelist is in use. By default, the URL Filtering as Global Setting feature is set as “Disabled”.
Remediation:
To mitigate the URL filtering vulnerability, the below workarounds can be implemented:
- Disabling Global URL Filtering, if the feature is not required.
- Disabling Global URL Filtering and then implement a single whitelist per Content Filter.
Fortunately, these workarounds need not be implemented since Cisco has patched both the bugs before any exploitation was observed in the wild. The users of the Cisco Email Security Appliance (ESA) must, however, ensure they update their systems to these patched versions.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cybersecurity needs.
