Revision as of 02:10, 10 July 2017

Applicable Products

• TMG800, TMG3200, TMG7800-CTRL
• Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software

Introduction

This page discusses some means for improving the overall security of Telcobridges system against unwanted attacks and vulnerabilities with adverse exposure as introduced from internet or connecting to network in general.

Management Port Protection

Keep the management port in a protected environment (behind a firewall). Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management, for example, Voip0 is configured with SIP and RTP and this port will care for these specific protocols only and discard the rest.

SSH Access Security

Use a strong password for the SSH access. Default password is a quite strong password that including alpanumerical and symbol characters, etc. in lengthly number.

CentOS Update for New Packages

• Keep system CentOS with database /and Ruby up to date as needed, using yum update or through web portal by doing upgrade linux packages, see Upgrade CentOS.
• Telcobridges has adopted a proactive OS update practice and managing Telcobridges repository.
• Also, on January 27, 2015, a vulnerability named "GHOST" in the glibc library was publicly announced. GHOST is also referred as CVE-2015-0235. The vulnerability is a buffer overflow in the gethostbyname family of functions that can allow arbitrary code execution. See GHOST for details on what is affected and update procedure of CentOS 5 from Telcobridges repository.

Web Portal Access Securiry

Web Portal access security enhancement is available on Toolpack 2.10.19 and onwards

• After a web portal failed login access, it will wait about 2 seconds, to prevent brute force attack on web portal login
• There will be new password complexity requirements such as,
  • At least 8 characters total
  • At least 1 upper case character
  • At least 1 lower case character
  • At least 1 number
  • At least 1 special character
• User account disabling (there will be a check box to indicate active users account), uncheck it will disable the account
• Password confirmation when creating/editing users
• Web session auto-logout after a certain amount of time without activity (default 30 mins)

Command line interface

• login with root account

[root@TB011107 ~]# uname -m
x86_64

• If the result is not "x86_64", please contact TelcoBridges support, otherwise you can proceed with either method below.
• Follow one of the two options depending if Internet is accessible from the unit

Option #1 - TMG unit or Linux server with access to Internet (i.e. with DNS configured)

• update OS packages with yum

yum clean all
yum update

• reboot the unit

reboot

Option #2 - TMG unit or Linux server without access to Internet

• download the following packages to your PC:
  • http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-2.5-123.el5_11.1.x86_64.rpm
  • http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-common-2.5-123.el5_11.1.x86_64.rpm
  • http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-devel-2.5-123.el5_11.1.x86_64.rpm
  • http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-headers-2.5-123.el5_11.1.x86_64.rpm
  • http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/nscd-2.5-123.el5_11.1.x86_64.rpm
• Using WinSCP or similar tool, upload the files to the TMG unit using the root account
• login with root account
• Install packages

yum localinstall glibc-2.5-123.el5_11.1.x86_64.rpm \
  glibc-common-2.5-123.el5_11.1.x86_64.rpm \
  glibc-devel-2.5-123.el5_11.1.x86_64.rpm \
  glibc-headers-2.5-123.el5_11.1.x86_64.rpm \
  nscd-2.5-123.el5_11.1.x86_64.rpm

• Note: that operation might take a long time since yum will probably experience timeouts when trying to access the external repositories.
• Reboot the unit

reboot

How to verify if the vulnerability is fixed?

• login with root account
• execute the following to create a test script

cat > rhel-GHOST-test.sh << FOF
#!/bin/bash
# rhel-GHOST-test.sh -  GHOST vulnerability tester. Only for CentOS/RHEL based servers.  #
# Version 3
# Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ #
echo "Installed glibc version(s)"

rv=0
for glibc_nvr in \$( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=\$( echo "\$glibc_nvr" | awk -F- '{ print \$2 }' )
    glibc_maj=\$( echo "\$glibc_ver" | awk -F. '{ print \$1 }')
    glibc_min=\$( echo "\$glibc_ver" | awk -F. '{ print \$2 }')

    echo -n "- \$glibc_nvr: "
    if [ "\$glibc_maj" -gt 2 -o \( "\$glibc_maj" -eq 2  -a  "\$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
    else
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "\$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
        else
            echo "vulnerable"
            rv=1
        fi
    fi
done

if [ \$rv -ne 0 ]; then
    cat <<EOF

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi

exit \$rv

FOF

• Execute the script

chmod +x rhel-GHOST-test.sh
./rhel-GHOST-test.sh

• You should not see the 'vulnerable' string displayed

Verify system timezone

We found that some systems got the timezone reset to EST time after the GHOST patch procedures

• Verify the timezone on the system

date

If it differs from the original, reset the timezone using the tbtimezone script.

References

• https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
• https://access.redhat.com/articles/1332213
• http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/