Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 1444 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CVE-2019-5786

Greg Dum

Does Web Protection or Advanced Protection on Sophos UTM9 with Up2Date fully up to date provide any protection against the latest Chrome vuln CVE-2019-5786?  I ask because we have a web application that, due to changes in Chrome beyond v60 precludes us from updating to v72 as recommended by Google.  Any insight greatly appreciated, thanks in advance



This thread was automatically locked due to age.
Parents
  • 0

    From what I read, the vulnerability is a memory corruption occurring in Chrome.   No perimeter device can control what happens inside the browser, so I do not see UTM as a cure for your problem.

    What might help:

    • Reduce your attack surface:
      • Segment your network into those devices that require Chrome 60 and those that do not.   Upgrade as many as possible.
      • For devices that cannot be upgraded, teach your users to use IE or Firefox for everything that does not require Chrome.
      • Use country blocking.    There are probably a lot of places on the web that are not critical to your organization's success.
      • Ensure that web filtering is really deployed universally.  Use Standard mode to evaluate web traffic on non-standard ports, and use Transparent Mode to evaluate all of the traffic that does not use Standard Mode.

    • Traffic filtering:
      • Block UDP 443 at your firewall so that Chrome cannot bypass your web filter.
      • Consider implementing https inspection (decrypt-and-scan).   It creates problems, but it may also complicate efforts to implement an attack like the one in this vulnerability.
      • Lock down all use of Internet-bound UDP to only those purposes that are absolutely needed.   UDP allows an application to roll its own protocol, possibly for the purpose of confusing a traffic filter.  So UDP is likely to be used if any malware gets inside your network. DNS (UDP 53) is needed, but it is really only needed from your internal DNS servers and UTM.    Skype 7 uses a lot of different UDP ports, but Skype 8 is better behaved, so remove or upgrade old versions to reduce unwanted UDP activity.     Figuring out what UDP traffic is needed will require an ongoing research effort, so it is probably the slowest goal to implement.

    And obviously, expedite your application remediation.

  • 0 in reply to DouglasFoster

    In a perfect world, the IPS module might have a test for it, but I have no way of knowing if the IPS data has been updated for it or if an IPS signature is possible.

Reply Children
No Data
Unfiltered HTML