Category: Uncategorized

What is Badlock?
Please see this article from Red Hat for an overview of the vulnerability.

How can I test my system to see if I’m vulnerable?
Run this script:

curl -s http://kb.eclipseinc.com/files/badlock-test.sh | sh

It will generate a report similar to the following if your system is vulnerable:

WARNING: The installed version of samba server (4.2.3-12.el7_2) is vulnerable to BADLOCK and should be upgraded! It is also enabled and/or running. Please update the package and restart the service.
See https://access.redhat.com/articles/2243351 and https://access.redhat.com/security/vulnerabilities/badlock for more information.

How do I patch my system?
Install Red Hat updates. If you don’t want to install all of the updates, you can optionally install only the samba updates:

yum update samba*
service smb restart

 

• Log in as root
• Open the backup script for editing:

vim /u2/UTILS/bin/snapsave.cfg

• Find the MAILLIST value, and add any additional email addresses, separated by a blank space , like so:

MAILLST='root backupadmin@mycompany.com'

• Save and quit

Summary

Epicor has been keeping apprised of a vulnerability in the SSL 2.0 protocol, CVE-2016-0800, also known as DROWN, which stands for Decrypting RSA using Obsolete andWeakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications. The issue is actually quite tricky to exploit by itself, but made easier on servers that are not up to date with some previous year-old OpenSSL security updates. Red Hat has a vulnerability article in the Customer Portal which explains the technical attack and the dependencies in more detail.

Recommended Customer Actions

Red Hat recommends that customers immediately apply available updates to remediate the issue. Rebooting the system after updating is the safest way to ensure all affected services use the updated ssl library.

Microsoft IIS versions 7.0 and above should have SSLv2 disabled by default. If you are running an older version of IIS, you will need to disable insecure protocols following these instructions from Microsoft.

FAQ

Q. How can I check whether or not my Linux server is vulnerable?
A. Log into your Linux server and run the command below:

curl -Ls http://bit.ly/checkDROWN | sh

For example, the following output, run against an Eclipse Linux server shows that the software needs to be updated:

[root@eclipsetest ~]# curl -Ls http://bit.ly/checkDROWN | sh

WARNING: The installed version of openssl (openssl-1.0.1e-16.el6_5.14) is vulnerable to both general and special DROWN attack and should be upgraded!
See https://access.redhat.com/security/vulnerabilities/drown for more information.

The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.

Q. How can I check whether my external web server (e.g. WOE, mobile) is vulnerable?
A. Use this tool.

 

Recommended Configuration (Google Apps paid accounts)

If you are using a paid version of Google Apps, and you would like to avoid Google rewriting the sender, you must first configure your Google Apps account for IP-based relay by following these instructions to allow relay from your server’s public IP address by any email addresses.

After Google Apps has been configured to allow relay from your server’s public IP address, you may configure postfix with:

relayhost = [smtp-relay.gmail.com]

Alternative Configuration (Google Apps free accounts, Gmail)

The correct SMTP server configuration for the free version of Google Apps and Gmail is:

relayhost = [smtp.gmail.com]:587

Please note that Google will automatically rewrite the sender (FROM) address to match whichever account is used for SMTP authentication (i.e. if you authenticate with eclipse@domain.com, all emails will appear to be sent from that address, regardless of which from address is specified in Eclipse). This is a limitation enforced on Google’s end, so there is no way around this on the Linux server side, other than to use a paid version of Google Apps (please see above) or use a mail relay service like SendGrid.

Operating System Installation

• Boot from RHEL 7 media
• Select “Install Red Hat Enterprise Linux 7.0” and press enter
• At the Welcome screen, select Continue
• At the Installation Summary screen
  • Select Date & Time (optional, defaults to Eastern)
  • Select Software Selection
    • Select Server with GUI or Minimal Install (add other groups and services later)
    • Select Done
  • Select Installation Destination
    • Select 1st Local Standard Disk (a checkmark will appear)
    • Select “I will configure partitioning” (Other Storage Options -> Partitioning)
    • Select Done
    • Select “Click here to create them automatically”
    • Select the root filesystem
      • Change the capacity to 30GB
      • Select Modify volume group
      • Change the name to “rootvg”
      • Select Save
    • Select the swap partition
      • Change the capacity to 4GB
    • Select the “+” button to add a new mount point
      • Mount point: /esupport
      • Capacity: 10GB
      • Select Done
    • Select Accept Changes
  • Select Network and Hostname
    • Switch the interface on
    • (Optional: set the static IP address)
    • Set the hostname (e.g. eclipse-customername)
    • Select Done
  • Select Begin Installation
• Select Root Password
  • Set the password and confirm it
  • Select Done twice
• When the installation has completed, select Reboot
• At the Initial Setup screen, select License Information
  • Select “I accept the license agreement”
  • Select Done
• Select Finish Configuration
  • At the Kdump screen, select Forward
  • At the Subscription screen, select “No, I prefer to register at a later time”
  • Select Finish