Categories: Cybercrime
Categories: News
Tags: KillNet

Tags:  CISA

Tags:  DDoS

Tags:  HC3

According to CISA, the pro-Russian KillNet group is actively targeting the US and European healthcare sectors with DDoS attacks.



(Read more...)




The post KillNet hits healthcare sector with DDoS attacks appeared first on Malwarebytes Labs.

At the end of January, the Health Sector Cybersecurity Coordination Center warned that the KillNet group is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) says it helped dozens of hospitals respond to these DDoS incidents.

**DDoS**

A distributed denial-of-service attack uses numerous systems to send network communication requests to one specific target. Often the attackers use enslaved computers, "bots", to send the requests. The result is that the receiving server is overloaded by nonsense requests that either crash the server or keep it so busy that normal users are unable to connect to it.

This type of attack has been popularized by numerous hacker groups, and has been used in state-sponsored attacks conducted by governments. Why? Because they are easy to pull off and hard to defend against.

**KillNet**

KillNet is a pro-Russian group that has been notably active since January 2022. Until the Russian invasion of Ukraine, KillNet was known as a DDoS-for-hire group. Now they are better known for the DDoS campaigns launched against countries supporting Ukraine. In previous campaigns the gang has targeted sites belonging to US airlines, the British royal family, Lithuanian government websites, and many others, but now their main focus has shifted to the healthcare sector. Not for the first time by the way—the group has targeted the US healthcare industry in the past too.

These attacks are not limited to the US. Recently, the University Medical Center Groningen (UMCG) in the Netherlands saw its website flooded with traffic. That attack was attributed to KillNet by the country’s healthcare computer emergency response team, Z-CERT.

The KillNet group runs a Telegram channel which allows pro-Russian sympathizers to volunteer their participation in cyberattacks against Western interests. This sometimes makes it hard to attribute the attacks to this particular group since the attacks will originate from different sources.

**The attacks**

KillNet’s DDoS attacks don't usually cause major damage, but they can cause service outages lasting several hours or even days. For healthcare providers, long outages can result in appointment delays, electronic health records (EHRs) being unavailable, and ambulance diversions.

According to CISA, only half of the KillNet attacks have been able to knock websites offline. CISA says it worked with several tech companies to provide free resources to under-funded organizations that can help them reduce the impact of DDoS attacks. It also plans to continue working with the US Department of Health and Human Services (HHS) to communicate with hospitals about government assistance and third-party services.

**Mitigation**

Although it can be difficult to mitigate DDoS risks, the Health Sector Cybersecurity Coordination Center (HC3) is encouraging healthcare organizations to enable firewalls to mitigate application-level DDoS attacks and use content delivery networks (CDN).

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow if an attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

*   Allow users to use the site as normally as possible.
*   Protect your network from breaches during an attack.
*   Offer an alternative system to work from.

The least you should do is make sure you're aware of the fact that an attack is ongoing. The sooner you know what's going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

*   On-premise protection (e.g. identifying, filtering, detection, and network protection).
*   Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing).

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

CISA encourages all network defenders and leaders to review these three documents:

*   Joint guide: nderstanding and Responding to Distributed Denial-of-Service Attacks
*   CEG: Additional DDoS Guidance for Federal Agencies
*   Tip: Understanding Denial-of-Service Attacks

**Ransomware warning**

Several security agencies and providers have warned that DDoS attacks are being used as cover for actual intrusions involving ransomware and data theft. In these attacks, the DDoS acts as a smokescreen, drawing attention from the far greater danger posed by the ransomware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

KillNet hits healthcare sector with DDoS attacks

Cybersecurity insurance costs are rising, and insurers are likely to demand more direct access to organizational metrics and measures to make more accurate risk assessments.

The rising cost of ransomware attacks is helping push significant premium increases in cyber-insurance policies in the UK and US, new data shows.

With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cybersecurity insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber-insurance industry.

However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.

Nik Whitfield, founder and chairman of Panaseer, notes that 82% of insurers surveyed said they expect the rise in premiums to continue. "The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive," he explains.

Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analyzing cyber-risk. "Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it," Whitfield says. "Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance."

The survey found that the most important factor when assessing potential customers' security posture is their cloud security — cited by 40% of survey respondents — followed by security awareness (36%), application security (32%), vulnerability management (31%), privileged access management (31%), and patch management (30%).

One of the likely challenges in the market, Whitfield points out, is the high degree of hesitancy many organizations may have about handing over privileged information about the inner workings of their security posture. "No one wants to share their security information with anybody else because that creates a security risk, and it feels vulnerable to expose intimate information about your security posture to others," he says.

Worst case, there will be companies unable to get insurance because they can't provide sufficient information to get reasonably priced insurance, according to Whitfield.

"In those cases, they will have to do something more extreme, such as providing evidence, information, and hopefully work with their insurer to improve their security posture," Whitfield notes. "It's like any type of risk — the better the risk looks to the insurer, the better your premiums and the easier it will be to get insured. And it'll be no different in cyber."

**Cyber Insurance Market Waffles on Pricing**

The survey indicates that many insurers don't yet have the answer to how to price cybersecurity insurance: While 47% of total respondents said they are "very confident" in their underwriting process, 44% are only "somewhat confident."

"There's some conflicting results that show on the one hand, they're confident in their models, but on the other hand, they're not really confident that they understand how to price it," Whitfield explains. "This is going to evolve over time. But there needs to be an openness and awareness and a conversation with the market about how to do this."

Complicating matters is that the past is never a good predictor when it comes to cybersecurity. "For some kind of risks, the past can give you a good handle on what's going to happen in the future," he says. "In cyber, it's just not the case. We have active adversaries. We have new tools, techniques, and procedures to gain access to our environments, new malware, new applications. The past is no predictor of the future. And that's what makes it so difficult for them to price this."

Insurers and brokers are charging more for policies and setting higher requirements as they face an increasingly complex threat landscape that has taken on a global nature, while the frequency and severity of attacks are increasing.  

A Kaspersky study released in January 2022 and conducted in October 2021 indicated investing in cyber insurance is a growing proactive trend; 28% of respondents said their company annually invests anywhere from $25,000 to $50,000 per year.

From Whitfield's perspective, the outlook for cybersecurity threats is going to get worse before it gets better. "The risk to businesses has been increasing, and the number of breaches and the cost of a breach has been rising steadily in the last few years," he says.

So, how can the insurance industry both support business and make a return at the same time? It will take a partnership between the insured and the insurer, he explains. "I don't think it could be forced by one party or the other, and it needs to be settled with evidence rather than a questionnaire finding out what the opinion of an organization is about a security posture." 

That means insurers getting hard data about an organization's security posture, provided in an efficient, timely way, and with high-quality data that can be relied on. "That will be the real revolution in the cyber-insurance industry," Whitfield says.

Ransomware Scourge Drives Price Hikes in Cyber Insurance

Catchpoint’s Internet Performance Monitoring Platform helps IT teams identify and mitigate BGP incidents, including hijack attempts and routing issues, with the industry’s broadest network of vantage points in the world drawing on real-time BGP monitoring.

**January 11, 2023 --** Catchpoint, The Internet Resilience Company, releases major enhancements to its industry-leading Network Experience solution. These enhancements include network reachability, engineering & traffic routing improvements, as well as comprehensive monitoring for SASE, VPN, and the entire Internet stack. This makes it even easier for IT professionals to catch issues before they impact the business.

The latest release includes a wide range of enhancements to Catchpoint’s Network Experience solution including:

*   **The world’s largest observability network** with over two thousand vantage points around the world. This includes **the world’s most extensive global BGP coverage** with over a thousand vantage points around the globe from more than 400 ASNs and support for both IPv6 and IPv4 real-time global data:

*   143 Catchpoint peers
*   388 University of Oregon Route Views Project peers
*   744 RIPE NCC RIS peers

*   **An improved BGP Smartboard** to identify incidents and root cause faster and with fewer clicks for improved MTTR. The new Smartboard lets IT teams investigate BGP peer event data across selected timeframes, view announcements and withdrawals, then drill down to the details of each event. The result is faster and more effective troubleshooting.
*   **An enhanced BGP Dashboard & Score Metrics** to see the health of the networks you rely upon at a glance. Information presented includes visibility for reachability, hijacks, peer visibility, mass withdrawals, RPKI status, and BGP data by region.
*   **Route Hijack Detection** via the updated control center library, which stores a list of customer ASNs. The BGP Overview Dashboard flags any prefix announced from unexpected ASNs, so IT is immediately alerted to potential hijacks.
*   **Network Mesh/Node-to-Node General Availability testing** to continuously monitor the availability & performance of the network, including jitter, latency and packet loss. This ensures an always-on, high-quality network experience. 
*   **Traceroute enhancements**, including Path MTU and TCP MSS features for more effective network path visualization and troubleshooting.
*   **A DNSSEC Custom Monitor** that authenticates the resolution of IP addresses with a cryptographic signature and ensures that answers provided by the DNS server are valid and authentic. 

To learn more about these updated features, please join us on January 18, 2023 for our upcoming webinar “Catchpoint Launches New Capabilities to Power Internet Performance Monitoring.”

**View and Pinpoint All BGP Issues from One Dashboard  **

All these capabilities are available via the Catchpoint Platform. The market leader in Internet Performance Monitoring (IPM), Catchpoint provides deep visibility into every aspect of the Internet stack that impacts your business. Only Catchpoint offers the breadth and depth of IPM solutions to help make IT, Network Operations, and SREs jobs easier and ensure Internet Resilience with fewer resources. 

“With this release, Catchpoint helps our customers uncover BGP issues with more confidence and in less time. We now deliver more detailed real-time information from three distinct BGP peer sources that we are able to collect from over 1000 BGP peers worldwide. By comparison, our nearest competitor monitors less than 100 peers and provides data that is at least 15 minutes old. That 15-minute delay is a lifetime when you’re dealing with an issue like a BGP hijack, and you don’t know where your data is going!” said Catchpoint’s EVP of Product, Matt Izzo. 

Catchpoint’s customers agree. “We were never able to monitor reachability in this detail before using the Catchpoint solution. Now we can figure out whether an issue is related to a BGP announcement, routing, or something else instead of blindly trusting our partners that everything is working as it should,” said Andreas Lunz, Chief Technology Officer, Team Internet.

“The top websites in the world rely on Catchpoint as their main platform to monitor, detect, and mitigate BGP incidents, as well as any other incidents in their Internet stack,” said Dritan Suljoti, CTO and co-founder of Catchpoint. “Today, all businesses rely on the Internet to survive, and there is really no other platform that comes close to what we have developed over fourteen years of dedication to Internet Performance Monitoring.” 

**Learn More**

*   Read more about Catchpoint’s Network Experience Solution at catchpoint.com/network-experience.
*   Dive into our Comprehensive Guide to BGP.
*   Join us at our upcoming webinar, “Catchpoint Launches New Capabilities to Power Internet Performance Monitoring” on January 18, 2023. 
*   Watch a brief but helpful demo on BGP. 
*   Request an evaluation of the Catchpoint platform.

**About Catchpoint**

Catchpoint is the Internet Resilience Company™. The top online retailers, Global2000, CDNs, cloud service providers, and xSPs in the world rely on Catchpoint to increase their resilience by catching any issues in the Internet stack before they impact their business. The Catchpoint platform offers synthetics, RUM, performance optimization, high fidelity data and flexible visualizations with advanced analytics. It leverages thousands of global vantage points (including inside wireless networks, BGP, backbone, last mile, endpoint, enterprise, ISPs and more) to provide unparalleled observability into anything that impacts your customers, workforce, networks, website performance, applications, and APIs. Learn more at www.catchpoint.com.

Catchpoint Announces Solution to Monitor and Protect Companies From BGP Incidents

Powered by WatchGuard’s Unified Security Platform® architecture, new Fireboxes deliver enhanced performance and added security capabilities that MSPs and IT admins can easily manage in WatchGuard Cloud.

**SEATTLE – February 16, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the release of its new Firebox T25/T25-W,T45/T45-POE/T45-W-POE, and T85-POE tabletop firewall appliances. Powered by WatchGuard’s Unified Security Platform® architecture to deliver comprehensive security and simplified management through WatchGuard Cloud, these new firewalls are engineered to provide the performance that remote and distributed business environments need for better protection against the latest network security threats.

With more memory and faster processing speeds for enhanced throughput,this new line of Firebox products enables WatchGuard partners, MSPs, and IT administrators to securebranch offices, office equipment, remote devices, retail point-of-sale (POS) software, and remote users from complex and emerging threats, while minimizing network configuration and management requirements.

“IT environments of all types and sizes face advanced and sophisticated threats from attackers, but SMBs and branch offices typically don’t have dedicated technical staff to configure, install and manage network security appliances,” said Ryan Poutre, product manager at WatchGuard Technologies. “This new generation of Fireboxes takes full advantage of our Unified Security Platform architecture, enabling MSPs to provide the robust solutions and simplified management they require to meet the needs of a wide range of customers and deployment scenarios.”

With enterprise-class security services likeAPT Blocker (sandbox malware detection) and ThreatSync for shared knowledge between endpoint and network, the new Fireboxesare idealfor small businesses that lack a designated security team. Beyond providing advanced malware protection for distributed environments, the new appliances include SD-WAN to optimize network performance by dynamically distributing network traffic across multiple connections based on defined policies.These new Fireboxes take advantage of the latest updates in WatchGuard Cloud to display a graphical real-time update of SD-WAN link status and any failovers, and they also support the latest Fireware capabilities for load sharing across multiple links. These capabilities are included in all of WatchGuard's service packages.

“WatchGuard’s tabletop Firebox appliances give us all the features and security protection of their bigger rackmount brothers, and make us more efficient with zero-touch provisioning to deploy and configure devices, upgrade firmware and apply policies after a remote user activates a device. We can quickly deploy and configure SD-WAN via WatchGuard Cloud from remote locations,” said Troy Midwood, chief technology officer at Aabyss. “These appliances are another example of WatchGuard’s focus on building great products that enable our MSP business.”

Key features for each of the new Firebox products include:

*   **WatchGuard Firebox T25/T25-W:** Provides stand-alone or centrally managed protection forsmall offices, home offices, and retail environments with complete enterprise-level network security. Zero-touch deployment via WatchGuard Cloud enables quick setup at remote locations to ensure secure connections. Provides up to 403 Mbps UTM throughput (running Gateway AntiVirus, IPS, and Application Control) and five 1 Gigabit Ethernet ports.
*   **WatchGuard Firebox T45/T45-POE/T45-W-POE:** Deliversstand-alone or centrally managedenterprise-level securityforsmall and midsize businesses. Boosts visibility into network activity/security events. Provides flexible management tools that enable quick setup at remote locations for secure business connections. Provides up to 557 Mbps UTM throughput and includes five 1 Gigabit Ethernet ports. The -POE models include one POE+ port to provide power to other devices like Wi-Fi access points.
*   **WatchGuard Firebox T85-POE:** Delivers high-performance, enterprise-level security that evolves with network requirements. Features SD-WAN, full UTM protection at over 940 Mbps, and expansion modules for integrated fiber or 4G connectivity. Also provides users with two Power-over-Ethernet (PoE+) ports enabling power to peripheral devices.

Additional Resources:

*   WatchGuard Firebox T25/T25-W Datasheet
*   WatchGuard Firebox T45/T45-POE/T45-W-POE Datasheet
*   WatchGuard Firebox T85-POE Datasheet
*   WatchGuard Network Security Product Matrix

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform™ approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org.Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches New Line of Firewall Products to Enhance Unified Security for Remote and Distributed Businesses

A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.

**Commit 736b0164** authored Dec 17, 2021 by  🍻

Browse files

*   Changes 1

...

...

@@ -357,6 +357,24 @@ static inline void \*nvme\_addr\_to\_pmr(NvmeCtrl \*n, hwaddr addr)

return memory\_region\_get\_ram\_ptr(&n\->pmr.dev\->mr) + (addr \- n\->pmr.cba);

}

static inline bool nvme\_addr\_is\_iomem(NvmeCtrl \*n, hwaddr addr)

{

hwaddr hi, lo;

/\*

\* The purpose of this check is to guard against invalid "local" access to

\* the iomem (i.e. controller registers). Thus, we check against the range

\* covered by the 'bar0' MemoryRegion since that is currently composed of

\* two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,

\* that if the device model is ever changed to allow the CMB to be located

\* in BAR0 as well, then this must be changed.

\*/

lo \= n\->bar0.addr;

hi \= lo + int128\_get64(n\->bar0.size);

return addr \>= lo && addr < hi;

}

static int nvme\_addr\_read(NvmeCtrl \*n, hwaddr addr, void \*buf, int size)

{

hwaddr hi \= addr + size \- 1;

...

...

@@ -614,6 +632,10 @@ static uint16\_t nvme\_map\_addr(NvmeCtrl \*n, NvmeSg \*sg, hwaddr addr, size\_t len)

trace\_pci\_nvme\_map\_addr(addr, len);

if (nvme\_addr\_is\_iomem(n, addr)) {

return NVME\_DATA\_TRAS\_ERROR;

}

if (nvme\_addr\_is\_cmb(n, addr)) {

cmb \= true;

} else if (nvme\_addr\_is\_pmr(n, addr)) {

...

...

*   mentioned in issue #782 (closed)
    
    mentioned in issue #782

CVE-2021-3929: hw/nvme: fix CVE-2021-3929 (736b0164) · Commits · QEMU / QEMU · GitLab

In ion, there is a possible use after free due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06371108; Issue ID: ALPS06371108.

CVE-2022-21743: May 2022

In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729.

CVE-2022-20066: May 2022

Windows Security Support Provider Interface Information Disclosure Vulnerability.

CVE-2022-38043

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

April 26th, 2022

**Revision**

**Date**

**Changes**

1.0

April 26th, 2022

Initial release

1.1

May 16th, 2022

Updated hotfix information

The CVE-ID tracking this issue: CVE-2021-28510  
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)  
Common Weakness Enumeration: CWE-400 (Uncontrolled Resource Consumption)  
This vulnerability is being tracked by BUG638107

****Description****

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

The impact of this issue is that a remote attacker can make the PTP service unavailable. If this happens, the switch will fail to provide PTP time synchronization services to the devices downstream, leading to the degrading of the time maintained by the downstream devices.

This issue was discovered by a customer and Arista is not aware of any malicious uses of this issue in customer networks.

**Vulnerability Assessment****Affected Software**

EOS Versions

*   4.27.1 and below releases in the 4.27.x train
*   4.26.4 and below releases in the 4.26.x train
*   4.25.6 and below releases in the 4.25.x train
*   4.24.8 and below releases in the 4.24.x train
*   4.23.10 and below releases in the 4.23.x train
*   4.22.x train

**Affected Platforms**

The following products are affected by this vulnerability:

Any platform supporting PTP.

Arista EOS-based products:

*   7020R Series
*   7050X/X2/X3 series
*   7060X/X2/X4 series
*   7150 series
*   7170 series 
*   720XP series
*   7250X series
*   7260X/X3 series
*   7280E/R/R2 series
*   7300X/X3 series
*   7320X series
*   7368 / X4 series
*   7500E/R/R2 series
*   7500R3 Series
*   7800R3 Series
*   7280R3 Series

The following product versions and platforms are not affected by this vulnerability:

*   Arista EOS-based products:
    *   7010 series
    *   7160 series
    *   750X series
*   Arista Wireless Access Points
*   CloudVision WiFi, virtual appliance or physical appliance
*   CloudVision WiFi cloud service delivery
*   CloudVision Portal, virtual appliance or physical appliance
*   CloudVision as-a-Service
*   Arista 7130 Systems running MOS
*   Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
*   Awake Security Platform

**Required Configuration for Exploitation**

In order to be vulnerable to CVE-2021-28510 the following conditions must be be met:

PTP should be enabled on the switch. To determine if PTP is enabled on the switch,

switch# show ptp
PTP Mode: Boundary Clock
PTP Profile: Default ( IEEE1588 )
Clock Identity: 0x74:83:ef:ff:ff:00:23:b1
Grandmaster Clock Identity: 0x00:00:00:00:00:00:00:00
Number of slave ports: 1
Number of master ports: 4
Offset From Master (nanoseconds): 0
Mean Path Delay (nanoseconds): 0
Steps Removed: 0
Skew (estimated local-to-master clock frequency ratio): 1.0

**Indicators of Compromise**

This issue causes the PTP agent to crash. If you are seeing a high number of syslog messages stating that the PTP agent is being restarted, this issue is potentially being exploited.

Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_TERMINATED: 'Ptp' (PID=17476, status=15) has terminated.
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_RESTART: Restarting 'Ptp' immediately (it had PID=17476)
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-7-PREDECESSOR\_WAITING: New instance of Ptp (PID=17833): waiting for reaping of predecessor (PID=17476)
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-7-PREDECESSOR\_GONE: New instance of Ptp (PID=17833): predecessor (PID=17476) has been reaped.
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_STARTED: 'Ptp' starting with PID=17833 (PPID=3067) -- execing '/usr/bin/Ptp'
Apr 12 02:32:08 ok312 Ptp: %AGENT-6-INITIALIZED: Agent 'Ptp' initialized; pid=17833

**Mitigation**

Install ACL rules to drop PTP packets from untrusted sources. Best practice is to block access to untrusted (non-management) networks.

ptp ip access-group ptpAcl in
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
ip access-list ptpAcl
   10 deny ip host 10.10.10.1 any

**Resolution**

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.

CVE-2021-28510 has been fixed in the following releases:

*   4.27.2 and later releases in the 4.27.x train
*   4.26.5 and later releases in the 4.26.x train
*   4.25.7 and later releases in the 4.25.x train
*   4.24.9 and later releases in the 4.24.x train
*   4.23.11 and later releases in the 4.23.x train

For immediate remediation until EOS can be upgraded, the following hotfix is available.

**Hotfix**

The following hotfix can be applied to remediate CVE-2021-28510. The hotfix applies only to 4.23.10 and no other releases. All other versions require upgrading to a release containing the fix (as listed above).

Note: Installing/uninstalling the SWIX will cause the PTP agent to restart.

**Version:** 1.0

**URL:****SecurityAdvisory76\_CVE-2021-28510\_Hotfix.swix**

**SWIX hash:**

(SHA-512)2b78b8274b7c73083775b0327e13819c655db07e22b80038bb3843002c679a798b53a4638c549a86183e01a835377bf262d27e60020a39516a5d215e2fadb437

For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘_copy installed-extensions boot-extensions_’.

**For More Information**

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

**Open a Service Request**

Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support

CVE-2021-28510: Security Advisory 0076 - Arista

A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.

'2175903?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us