[metaslider id=2951] … Read More
Snare Enterprise Agent Update
Intersect Alliance has released the following updates to their Enterprise Snare Agents, plus a new MSI package:
Enterprise Windows Agent V 4.3.6 – This release dealt with the following issues (download complete release notes):
- Snare Unable to handle network destination starting with numeric value – There was an issue how a network destination is checked for IP address or DNS name. Due to the issue a DNS name starting with a numeric value can be treated as an IP address. Due to this issue, the network destination wont get used correctly to send the logs. This issue only affected sites where the destination address included a DNS name starting with a numeric value. This issue is fixed in this release and now the agent properly distinguishes between a full IP address and DNS name that begins with a numeric value.
- Fixed same expression comparison – The agent was not correctly processing the 4739 “Account Administration” and the 4707 “A trust to a domain was removed” events internal expression matching via the objective radio buttons. If individual matching was configured under the any event option then it would still be collected. This patch resolves the collection of these events.
- Potential memory allocation error in Debug Msg – There was an issue with the memory allocation handling while sending the heartbeat. The issue is more prevalent on machines low on virtual memory. This issue can cause the agent to enter in an infinite heartbeat sending loop and consequently can cause denial of service attack on log collector destination(s). This issue is fixed in this release and now memory allocation error is correctly handled.
- Potential SnareCore Crash Issue – There was an internal issue with the event log source name checking. Due to this issue the Snarecore.exe process can crash when event log source name is is set to a null value from the event data which was unexpected from the Windows API. This issue is fixed in this release and now Snare properly handles the issue; logs the warning if event log source name is set to a null value. As a compensating process, as Snare internally knows the name of the event log source name from where it is pulling the events it will use that name as the log source if the Windows API replies with a NULL value.
Enterprise Epilog for Windows V 1.8.6 (download complete release notes) and Enterprise Agent for MS SQL V 1.4.7 (download complete release notes)
- Snare Unable to handle network destination starting with numeric value – There was an issue how a network destination is checked for IP address or DNS name. Due to the issue a DNS name starting with a numeric value can be treated as an IP address. Due to this issue, the network destination wont get used correctly to send the logs. This issue only affected sites where the destination address included a DNS name starting with a numeric value. This issue is fixed in this release and now the agent properly distinguishes between a full IP address and DNS name that begins with a numeric value.
Enterprise Agent for Linus V 4.1.9 – New Feature was added (download complete release notes)
- A user should be able to create their own audit.rules file and the Linux Agent should be able to monitor any events it generates – Added the ability to specify a single rule objective with an ‘Any Event’ objective type and use a wildcard (‘*’) which indicates the agent will process all events coming from the audit subsystem. This is useful if the user wishes to use the agent but use a custom audit.rules file.
These updates are now available within your client area. If you have difficulty accessing please contact our office with your maintenance number.
Snare Agent Updates
The following agents have been updates and are available for our clients in their client area:
Windows Agent (V 4.3.5) Release Notes
- includes new syslog feature – RFC 5424 header versioning and timestamping added as an optional format choice for syslog header
- two bug fixes pertaining to sending custom events and USB events.
Epilog Agent for Windows (V 1.8.6) Release Notes
MS SQL Agent V 1.4.6 Release Notes
- provides for a fix to a possible memory usage issue.
All include a security update to the Open SSL Library.
For more information refer to the release notes or contact us.
Snare Product Suite Updates – Agents and Server
Updates to the Snare Agents have been released and are available for our clients. The updates include a patch for a vulnerability that was discovered in the Open Source Snare For Windows Agent, and also exists in the Enterprise Agent for Windows. This vulnerability can trigger the agents to display the Cross Site Scripting (XSS) attack from the agents latest events screen. The exploit uses smbclient from a Unix machine to generate a false userid that contains JavaScript and does not require any authentication to generate the event. For more information on this exploit please click here.
The vulnerable products include the Enterprise Agent for Windows, MS SQL and the open Sourced Agent for Windows. At this time there is no patch for the open sourced Windows agent.
Also released is the Snare Server Version 7.1.0, which also provides for a patch of the latest libc DNS vulnerability.
All release notes are available within the client areas or click here.
Enterprise Snare Agent Update
Please be advised that two of the Enterprise Snare Agents have patch updates available – the Enterprise Snare Agent for Windows and the Enterprise Snare Agent for MS SQL.
For the Enterprise Snare Agent for Windows:
- Improve debugging output
Enhanced debugging support is added for the windows agent. To output debug logs to a file, and after stopping the snare service, the agent is run from administrative console, ie. SnareCore.exe -c -d9 >> log.txt
Then log.txt file will include the event IDs of all the events that SnareCore will capture, regardless if
they are ignored by objectives.
- Windows Agent Crashing on occasion with USB events
There was an issue with the registry bookmark handling of the events specially when dealing with USB events (where Enable active USB auditing? is selected on Network Configuration in the web UI). Due to this issue, Snare might crash while processing USB events. This issue is fixed in this release and now bookmarks and USB events work correctly together.
Snare Enterprise Agent for MS SQL
- SnareMSSQL does not remove its service on uninstall
An issue was identified with the uninstaller of the SnareMSSQL v1.4.1, v1.4.2 and v1.4.3 agent versions. Due to this issue if the uninstaller was run on a SQL server standalone machine then the uninstaller may not remove the SnareMSSQL service which could be left in a disabled state requiring a reboot to clear. This issue is fixed in this release. Now uninstaller removes the SnareMSSQL service correctly during uninstall.
- The MSSQL agent picks the machine hostname for current events instead of event hostname
An issue was found for installs that use cluster mode with the ‘system’ column on current events page. Due to this issue, sometimes, the machine hostname was shown in the system column instead of current active cluster node name. This issue is fixed in this release and now the system column shows the appropriate active node name.
- Issue with the loadinf option on cluster machine
- Error handling astray when checking groups
An issue was found with the way errors were reported on the web UI during the ‘Check Groups’ operation from objective page. Due to this issue, the next error was appended with the previous one; causing confusing error text. This issue is fixed in this release.
These updates can be downloaded from your client area, should you wish more information please contact us.
Snare Agents Advisory – Agent Denial of Service
New agents released on June 30th please see release notes available at the client login page
A vulnerability exists in some versions of the Snare Agents, which can be triggered to terminate the Snare service. The exploit attempts to overflow an input buffer in the remote management interface, and can be performed by an unauthenticated user using a custom crafted URL.
Impact
This vulnerability does not allow the attacker to gain privileged access, but it does affect the operation of the agent.
Vulnerable Products
This affects the following the Snare Enterprise products:
– Snare Enterprise Agent for Windows
– Snare Enterprise Agent for MSSQL
– Snare Enterprise Epilog for Windows
– Snare Enterprise Epilog for Unix
– Snare Enterprise Agent for OSX
– Snare OpenSource Agents
Countermeasures
– Disabling the remote control interface (GUI) will block this issue. Note that disabling the remote control interface will also disable the ability of the agent management console, to manage the affected agent.
– Appropriate network firewall controls, will limit the sources from which this exploit can be triggered.
– Some Unix operating systems can detect the attack as a potential SYN flood and block the source system.
Vulnerable Versions
The following versions of Snare Enterprise agents, and all versions prior to these versions, should be considered vulnerable to this issue:
– Snare Enterprise Agent for Windows v4.2.12
– Snare Enterprise Agent for MSSQL v1.3.4
– Snare Enterprise Epilog for Windows v1.7.12
– Snare Enterprise Epilog for Unix v1.5.5
– Snare Enterprise Agent for OSX v1.1.3
All versions of the listed OpenSource/SnareLite agents, and prior versions, should be considered vulnerable to this issue:
– Snare OpenSource Agent for Windows v4.0.2.0
– Snare OpenSource Epilog for Windows v1.6.0
– Snare OpenSource Epilog for Unix v1.5.0
Patched Versions
The following versions of the Snare Enterprise agents have been patched, and are no longer vulnerable to this issue:
– Snare Enterprise Agent for Windows v4.3.0
– Snare Enterprise Agent for MSSQL v1.4.0
– Snare Enterprise Epilog for Windows v1.8.0
– Snare Enterprise Epilog for Unix v1.5.6
– Snare Enterprise Agent for OSX v1.1.4
For users who are running the OpenSource/SnareLite agents, it is recommended that the remote control interface be disabled. There is no schedule for fixes to the OpenSource/SnareLite agents at this time.