Update PSIRT_Advisories.rst

Add Psirt CVE 2023 52087 20240329
AviatrixSystems · Apr 3, 2024 · 2a2be93 · 2a2be93
1 parent a34dbcd
commit 2a2be93
Showing 1 changed file with 80 additions and 4 deletions.
diff --git a/HowTos/PSIRT_Advisories.rst b/HowTos/PSIRT_Advisories.rst
@@ -2,13 +2,89 @@
 PSIRT Advisories
 =======================================
 
-Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix's development teams and serious issues are described along with protective solutions in the advisories below. 
+Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at `Aviatrix Support Portal <https://support.aviatrix.com>`_. Any such findings are fed back to Aviatrix's development teams and serious issues are described along with protective solutions in the advisories below.
 
 Please note the below Aviatrix Security recommendations and communication plans:
-- Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. 
+
+- Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions.
+
 - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch
-- All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems
-- Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published
+
+- All known software vulnerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems
+
+- Aviatrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published
+
+25. Aviatrix Egress FQDN Firewall Security Misconfiguration
+-------------------------------------------------------------
+
+**Date** 04/02/2024
+
+**CVE #** CVE-2023-52087
+
+**Risk Rating** 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+
+**Description**
+
+Aviatrix discovered a security issue related to the Aviatrix Egress FQDN Firewall. In prior releases, the firewall would ALLOW traffic on TLS ports for non-TLS traffic or for TLS traffic which did not have SNI headers.
+
+The current release will change the default behavior to DENY for non-TLS traffic or TLS traffic without SNI data on the TLS port (tcp/443).
+
+This is a breaking change from prior releases, so to be sure to see the Solutions section of this advisory if this functionality must be preserved.
+
+**Impact**
+
+Packets that should be blocked by the Egress FQDN Firewall will be allowed through unexpectedly.
+
+**Affected Products**
+
+All versions before:
+
+- 7.1.3006
+- 7.0.2239
+- 6.9.822
+- 6.8.1826
+
+**Solution**
+
+If you require allowing non-TLS traffic egress over HTTPS port, perform the following:
+
+- Aviatrix Controller > Security > Egress Control > 3. Egress FQDN Filer > Global Config (CLICK)
+- ENABLE "non-TLS traffic over HTTPS port" under Global Settings. For release 7.0.2239 and 7.1.3006 this can be done from the Controller UI. For release 6.9.822 or 6.8.1826 this cannot be done from the UI.
+- If you choose to revert back to the Old default behavior in release 6.9.822 or 6.8.1826, please contact Aviatrix Support who can help you toggle to ALLOW for this feature.
+
+Since the non-TLS traffic using HTTPS port (tcp/443) is not logged in the syslog messages, there is no way to detect (in prior releases) this kind of traffic on the Aviatrix Controller/CoPilot UI.
+
+24. Aviatrix Egress FQDN Firewall High-Availability Security Misconfiguration
+-------------------------------------------------------------
+
+**Date** 04/02/2024
+
+**CVE #** CVE-2023-52087
+
+**Risk Rating** 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+
+**Description**
+
+If an Aviatrix Egress FQDN HA gateway is launched after an Egress FQDN tag is attached to the main gateway, then the HA gateway is launched in non-enforcing mode. The non-enforcing setting is clearly visible on the Controller UI. In this configuration, when the primary drops, the secondary will not enforce as expected.
+
+**Impact**
+
+The secondary Egress FQDN Firewall may come up in non-enforcing mode. This will potentially allow traffic through the Egress FQDN Firewall unexpectedly.
+
+**Affected Products**
+
+All versions before:
+
+- 7.1.3006
+- 7.0.2239
+- 6.9.822
+- 6.8.1826
+
+**Solution**
+
+- If you are running affected Aviatrix software releases and have existing HA Egress Firewall Gateways, temporarily remove the Egress FQDN Filter tag from the primary gateway and then re-add it.
+- If you are running affected Aviatrix software releases and creating new HA Egress Firewall Gateways, create the HA gateway before assigning an Egress FQDN Filter tag.
+- The latest Aviatrix software revisions have resolved this issue and no action is needed.
 
 
 23. Aviatrix Controller and Gateways - Unauthorized Access