Scribd Logo
Upload

Welcome to Scribd!

  • Skybox Appliance Release Notes

    Uploaded by

    Net Runner
    34 views10 pages
    a

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    a

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    34 views10 pages

    Skybox Appliance Release Notes

    Uploaded by

    Net Runner
    a

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Skybox Appliance Release

    Notes

    11.0.300

    CentOS Linux release 7.8.2003 (Core)


    Proprietary and Confidential to Skybox Security. © 2020 Skybox Security,
    Inc. All rights reserved.
    Due to continued product development, the information contained in this
    document may change without notice. The information and intellectual property
    contained herein are confidential and remain the exclusive intellectual property of
    Skybox Security. If you find any problems in the documentation, please report
    them to us in writing. Skybox Security does not warrant that this document is
    error-free.
    No part of this publication may be reproduced, stored in a retrieval system, or
    transmitted in any form or by any means—electronic, mechanical, photocopying,
    recording, or otherwise—without the prior written permission of Skybox Security.
    Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network
    Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox
    Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the
    Skybox Security logo are either registered trademarks or trademarks of Skybox
    Security, Inc., in the United States and/or other countries. All other trademarks
    are the property of their respective owners.

    Contact information
    Contact Skybox using the form on our website or by emailing
    info@skyboxsecurity.com
    Customers and partners can contact Skybox technical support via the Skybox
    Support portal
    Contents

    Introduction ........................................................................................... 4

    Known limitations.................................................................................... 5
    Removing old Nmap packages .................................................................... 5
    Ensuring compliance with SSH Cryptographic Settings .................................. 6

    Support issues fixed in this ISO ................................................................ 7

    Behavioral changes in Skybox Appliance .................................................... 8

    Fixed vulnerabilities ................................................................................. 9

    Skybox version 11.0.300 3


    Chapter 1

    Introduction
    This document includes information about Skybox Appliance for Skybox version
    11.0.300, including known limitations, supported issues fixed in this ISO, and
    fixed vulnerabilities.
    Unless otherwise noted, the information in this document is relevant to all
    Skybox Appliances, including virtual Appliances.

    Skybox version 11.0.300 4


    Chapter 2

    Known limitations
    › Skybox Appliance is not supported on IPv6-only networks; it requires an IPv4
    address.
    › In some older versions, it is not possible to run an operating system update
    on the Appliance as skyboxview user.
    Workaround:
    1. Run the following command as the root user: usermod -a -G wheel
    skyboxview
    2. Reboot the machine.

    › Hostnames that include underscores should not be used.


    Due to the updated RFC 3986, which claims that underscores are unsafe in
    virtual host server names, Apache does not allow virtual hostnames with
    underscores.
    Workaround: Change the underscores "_" to hyphens "-" in the hostnames
    ("host-name" instead of "host_name").

    Security updates when updating Skybox Appliance


    For customers using the Appliance update patch to update their Skybox
    Appliance to this release (as explained in Updating the operating system on
    Skybox Appliance in the Skybox Appliance Quick Start Guide), the following 2
    security updates are not implemented by the patch and must be performed
    manually.
    Note: These security updates were implemented starting in ISO release
    10.1.205 for newly installed Appliances. If you upgraded to ISO release 10.1.205
    using the Appliance update patch and applied these fixes manually, you do not
    need to apply them again after upgrading to ISO release 11.0.302.

    › Removing old Nmap packages (on page 5)


    › Ensuring compliance with SSH Cryptographic Settings (on page 6)

    Removing old Nmap packages


    Previous versions of the Skybox appliance ISO may include the following
    packages:

    › nmap-6.40-19.el7.x86_64
    › nmap-ncat-6.40-19.el7.x86_64
    These packages are vulnerable according to CVE-2018-15173 Nmap Denial Of
    Service Vulnerability.

    Skybox version 11.0.300 5


    Skybox Appliance Release Notes

    These packages are no longer required and are not included in the Appliance ISO
    as of version 10.1.200.
    Customers upgrading their Skybox appliance to version 10.1.200 (or later) using
    the Appliance update patch will still have these vulnerable Nmap packages on
    their system, as the patch does not remove any installed packages.
    We strongly recommend that you remove these packages manually.

    To remove the Nmap packages

    › Run the following command as the root user: yum erase nmap-ncat

    Ensuring compliance with SSH Cryptographic Settings


    To ensure compliance with SSH Cryptographic Settings
    1 As the root user, open /etc/ssh/sshd_config
    2 Scroll down and locate:
    #Only allow strong ciphers
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-
    gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-
    cbc,cast128-cbc,aes192-cbc,aes256-cbc

    3 Replace these lines with:


    #Only allow strong ciphers
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-
    gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,aes192-cbc,aes256-
    cbc
    #Only allow approved key exchange algos (exclude diffie-hellman-group1-
    sha1)
    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-
    nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-
    exchange-sha256,diffie-hellman-group14-sha1
    #Only allow approved MACs
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-
    etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

    4 Restart sshd by running:


    systemctl restart sshd.service

    Skybox version 11.0.300 6


    Chapter 3

    Support issues fixed in this ISO


    The following support issues are fixed in this ISO (11.0.300).
    Issue key CRM IDs Summary

    AP-558 91914 Vulnerabilities found on Skybox server and collector

    AP-576 93958 Default routing on bond interface removed from appliance


    94989 after reboot
    AP-577 94300 Misinformation in the Quick start guide

    AP-583 93200 Request to add iptables-services package to appliance ISO

    Skybox version 11.0.300 7


    Chapter 4

    Behavioral changes in Skybox


    Appliance
    The following behavioral changes were made in this ISO (11.0.300):
    Issue key Summary

    AP-584 PenTest: Username Harvesting


    In the Appliance WebAdmin, the indication for invalid
    username/password and temporarily locked user account (due to 5 or
    more failed login attempts) are now the same. There is no indication that
    the user is denied login because his account is locked, as required to
    avoid username harvesting.
    AP-606 Changes to default partitioning during ISO installation
    The minimum disk size for partitioning was raised from 200G to 500G.
    Installing the ISO on virtual appliances with storage space up to 500G
    will not partition the disk.

    Skybox version 11.0.300 8


    Chapter 5

    Fixed vulnerabilities
    The vulnerabilities in the following table, found in version 10.1.200, were fixed
    for version 11.0.300.
    CVE SBV-ID Exploit Severity Description
    Status
    CVE-2019-16746 SBV-107691 No Critical Linux Kernel <=5.2.17 Remote
    Exploit Buffer Overflow Vulnerability -
    CVE-2019-16746
    CVE-2019-17666 SBV-108901 No High Linux Kernel<=5.3.6 Remote
    Exploit Buffer Overflow Vulnerability -
    CVE-2019-17666
    CVE-2019-9503 SBV-102982 No High Linux Kernel Remote Code
    Exploit Execution Vulnerability - CVE-
    2019-9503
    CVE-2019-11487 SBV-100812 Exploit High Linux Kernel <5.1-rc5 Local DoS
    Available Vulnerability due to Overflow in
    _refcount - CVE-2019-11487
    CVE-2019-10639 SBV-103299 No High Linux Kernel Remote
    Exploit Restrictions Bypass Vulnerability
    - CVE-2019-10639
    CVE-2019-15916 SBV-106962 No High Linux kernel <5.0.1 DoS
    Exploit Vulnerability - CVE-2019-15916
    CVE-2019-13233 SBV-103284 No High Linux Kernel 4.15 - 5.1.8 Local
    Exploit Use After Free Vulnerability -
    CVE-2019-13233
    CVE-2019-14283 SBV-104529 No Medium Linux Kernel <5.2.3 Integer
    Exploit Overflow and Out-of-Bounds
    Read Vulnerability - CVE-2019-
    14283
    CVE-2018-20169 SBV-95403 No Medium Linux Kernel <4.19.9 Local
    Exploit Unspecified Vulnerability - CVE-
    2018-20169
    CVE-2019-11135 SBV-109851 Exploit Medium Linux Kernel Local Information
    Available Disclosure due to TSX
    Asynchronous Abort in Intel
    CPUs - CVE-2019-11135
    CVE-2019-10638 SBV-103298 No Medium Linux kernel <5.1.7 Remote
    Exploit Unspecified Vulnerability - CVE-
    2019-10638
    CVE-2019-19338 SBV-110834 No Medium Linux Kernel Incomplete Fix for
    Exploit TAA Vulnerability Allows Local
    Information Disclosure - CVE-
    2019-19338

    Skybox version 11.0.300 9


    Skybox Appliance Release Notes

    CVE-2019-13648 SBV-104114 No Medium Linux 5.2.1 and Earlier Local


    Exploit DoS Vulnerability - CVE-2019-
    13648
    CVE-2018-7191 SBV-102069 No Medium Linux kernel <4.13.14 Local
    Exploit DoS Vulnerability - CVE-2018-
    7191
    CVE-2015-9289 SBV-104521 No Medium Linux Kernel <4.1.4 Buffer
    Exploit Overflow Vulnerability - CVE-
    2015-9289
    CVE-2019-10207 SBV-110218 No Medium Linux Kernel DoS Vulnerability
    Exploit in Bluetooth - CVE-2019-10207
    CVE-2019-12382 SBV-102340 No Medium Linux Kernel <=5.1.5 Local DoS
    Exploit Vulnerability - CVE-2019-12382
    CVE-2019-11190 SBV-100181 No Medium Linux kernel <4.8 Local
    Exploit Information Disclosure
    Vulnerability - CVE-2019-11190
    CVE-2019-3901 SBV-101049 No Medium Linux kernel <4.8 Local
    Exploit Information Disclosure
    Vulnerability - CVE-2019-3901
    CVE-2019-18660 SBV-110284 No Medium Linux Kernel <5.4.1 Local
    Exploit Information Disclosure
    Vulnerability due to Spectre-
    RSB - CVE-2019-18660
    CVE-2019-15221 SBV-106080 No Medium Linux Kernel <5.1.17 DoS
    Exploit Vulnerability via NULL Pointer
    Dereference - CVE-2019-15221
    CVE-2018-19985 SBV-99233 No Medium Linux Kernel <=4.19.8 Local
    Exploit Kernel Address Read
    Vulnerability - CVE-2018-19985
    CVE-2017-17807 SBV-79416 No Low Linux Kernel <4.14.6 Local
    Exploit Restrictions Bypass Vulnerability
    in the KEYS Subsystem - CVE-
    2017-17807
    CVE-2019-11884 SBV-101448 No Low Linux Kernel <5.0.15 Local
    Exploit Information Disclosure
    Vulnerability - CVE-2019-11884
    No Info Application\/Directories
    Exploit Having Root Privilege In Sudors
    File Detected

    Skybox version 11.0.300 10

    You might also like