Following software updates are available for InfoExpress products. This technote will be updated as and when new updates are available. Note: Please contact support to obtain download links for these software.
Change : New CGXA, CGX & CGM build available,
Type: Update Binaries
CGX Access-3.0 Access-3.0.210429 NEW - Bug: Mantis #00993: CGX-ACCESS: Fingerprint for MAC Address Spoofing Detection - Bug: Mantis #2266: Add manual Exclude List/Role assignment: - Bug: Mantis #2311: WMI: add username query - Bug: Mantis #2314: CVM to get Integration data and share with appliances - Bug: Mantis #2318: Integration: CrowdStrike - Bug: Mantis #2320: DPM: Expose the NMAP device type detection as a default Device Profile rule - Bug: Mantis #2323: Some vLinks VLANs not listed on interface - Bug: Mantis #2324: Accessgroup chart will not show excluded devices after reset factory - Bug: Mantis #2313: Don't include Adapter names when copy configurations between appliances - Bug: Mantis #2314: CVM to get Integration data and share with appliances - Bug: Mantis #2318: Integration: CrowdStrike - Bug: Mantis #2320: DPM: Expose the NMAP device type detection as a default Device Profile rule
CGX Access-2.4 Access-2.4.210326 NEW - Bug: Mantis #2232: cgate2: hang because of send() error - Bug: Mantis #2246: DM: Exporting data to CSV the OS category is spreading across multiple columns - Bug: Mantis #2262: GRM: prevent cguser execute PHP file in grm-theme folder - Bug: Mantis #2263: Enhance the "Reset CGX to the factory settings" tool for correcting broken ssexports.json/ssexportsgd.json - Bug: Mantis #2267: The Manage Engine Desktop Central integration module seems to be missing - Bug: Mantis #2212: vLinks: time issue - Bug: Mantis #2206: Support WMI over multiple domains - Bug: Mantis #3044: Alert on vLink removal/lack of heartbeat - Bug: Mantis #2194: GRM: Guest Request Notification email fine tuning - Bug: Bug: Mantis #2195: GRM: Enhance new option allow hide Credentials in Approval email
CGX-2.3 CGX 2.3.210415 NEW CGX-2.3.210415: - Bug: Mantis #0920: CGX Access webpage uses a logo that belongs to Xampp - Bug: Mantis #2315: ARM: dhcp parser includes huge object inside vendorOptions - Bug: Mantis #2316: Lower the MongoDB's RAM setting in case CGX has a small amount of RAM - Bug: Mantis #2317: DPM may crash when DHCP server has the option 43 (Vendor Specific Info) - Bug: Mantis #3026: Add hardware information to DUMP and DUMP2 - Bug: Mantis #2232: cgate2: hang because of send() error - Bug: Mantis #2246: DM: Exporting data to CSV the OS category is spreading across multiple columns - Bug: Mantis #3042: Allow multiple RADIUS servers for CGX-ADMIN authentication - Bug: Mantis #3045: CGX should verify VPN MAC format
CGM (Marc/CGPM/Auth-Server) 10.2.21132 / 9.2.21132 NEW - FEA: Allow sorting Compliance Report - VUL: Upgrade PHP to 7.3.28
Type: Virtual Machines
CGX Access-3.0 CGX-Access-3.0.201224 NEW
CGX Access-2.4 CGX-Access-2.4.210108 NEW
CGS-9.1 9.1.13338 Full 9.1.13338 Mini
Type: Security Patches
[CGS] CGSP-SLA-200724 - BUG: 02026: CGS: PHP error logs: + PHP Notice: Undefined variable: ErrorString in /var/cgate/bin/modules/mod-enforce-dnac/dnacweb.php on line 142 - FEA: 02066: Allow disabling TLS 1.0 and 1.1 of the Web and FTP services - FEA: Mantis #1358: Allow to change web ciphers
[CGX] CGX-GRM-160929 - FEA: Allow multi domain authentication
Last post by Zeeshan - February 17, 2016, 04:14:05 AM
Recently, a security flaw was uncovered in glibc in Linux. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.
We are pleased to announce the availability of a cumulative patch for 9.1 CGS. It includes all fixes and updates released independently earlier + newer updates and fixes.
The patch contains the following fixes / updates.
BUG-00187 Fixed "Hardware CGS appliance can be queried using 'public' community string, doesn't matter whether it is configured or not on the appliance. Hardware CGS appliance cannot be queried with any configured community string" BUG-00452 Fixed "CGBackup breaks NIC assignments on CGS" BUG-00471 Changed cgpold to process correctly policies that have space charaters in the file name. BUG-00485 Changed cgpold to process correctly empty files. Updated cgpold to process logs written by vsFTPd for new policy upload. BUG-00509 Allowed admin account to ftp in BUG-00521 Fixed console SSL errors from webby BUG-00682 Fixed typo in SNMP code for CPU usage BUG-02809 Fixed "CGS Inline cannot pass through traffic for compliant endpoint" BUG-02840 Fixed "Ported over 11698 OID for correct snmp walk behavior" BUG-02847 Fixed the slow outbound Syslog issue BUG-X0001 Fixed "Webby gets high CPU & prints 'can't accept:Too many open files' messages" BUG-X0002 Fixed "CGS stops accepting connections" FEA-00670 Added patch history spport VUL-00686 Fixed "Downgrade to export ciphers (CVE-2015-0204)" VUL-12217 Fixed "DNS server cache snooping remote information disclosure" VUL-35372 Fixed "DNS server dynamic update record injection" VUL-70658 Fixed "SSH Server CBC Mode Ciphers Enabled (CVE-2008-5161)" VUL-71049 Fixed "SSH Weak MAC Algorithms Enabled" VUL-71783 Fixed "NTP monlist Command Enabled (CVE-2013-5211)" VUL-77200 Fixed "OpenSSL 'ChangeCipherSpec' MiTM Vulnerability" VUL-77857 Fixed "Bourne Again Shell (Bash) Remote Code Execution Vulnerability (CVE-2014-7169)" VUL-78479 Fixed "SSL 3.0 fallback - POODLE (CVE-2014-3566)"
Customers are advised to update their CGS with this patch from the following link.
Recently, a security flaw was uncovered in some web servers and clients that could allow attackers to lower the security of an encrypted session and facilitate eavesdropping. Details on the vulnerability can be obtained here:
Overview: By exploiting this vulnerability a local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.
Impact on InfoExpress Products: This vulnerability can be found in most of the big name vendors such as Symantec etc. Unfortunately, InfoExpress's MARC server, also called FRAMD (Framework of Report and Manage Devices), also has this vulnerability. MARC Server has 'cgpurge.exe' service installed that uses an unquoted service path, which contains at least one whitespace.
Solution: InfoExpress is going to implement the fix in the future builds. Fortunately, as a workaround this vulnerability can be easily fixed. Please follow the instructions below:
1- Open registry editor on the FRAMD/MARC machine 2- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CGPURGESVC 3- Edit the ImagePath key and add quotes as below: "C:\Program Files (x86)\InfoExpress\CyberServer\cgpurge.exe" 4- Once that is done, verify the changes by launching services.msc and checking properties of CyberGatekeeper Purge Service. Path to executable should be in quotes now.
NOTE: The vulnerability can be found in CyberGatekeeper Agent & CyberGatekeeper Authentication Service as well. The workaround is similar to the above and can be fixed by editing the corresponding ImagePath keys.
Overview: OpenSSL is an open source implementation of the SSL and TLS protocols. It is widely used in web servers including Apache Webserver.
With this vulnerability OpenSSL clients and servers could be forced, via a handshake packet, to use a weak keying material for communication. A man–in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
Although this vulnerability is similar to Heartbleed vulnerability, it is difficult to exploit since the attacker has to be able to intercept the traffic between the client and server before exploiting it.
Impact on InfoExpress Products: The only InfoExpress products impacted with this vulnerability are CGS (CyberGatekeeper Server) and CGX appliance (all versions affected). Customers have not reported any impact on InfoExpress products in regards to this vulnerability.
InfoExpress's other products such as FRAMD, Authentication Server, Policy Manager and Agents are not impacted.
The severity rating for this impact is Medium.
Solution: InfoExpress is going to release a patch soon containing OpenSSL version openssl-0.9.8e-27.el5_10.3 for the CyberGatekeeper appliance. This page will be updated with the download link once the update is available.
UPDATE June 13, 2014 The patches are available. Please contact InfoExpress Support (firstname.lastname@example.org) to get them.
Last week, a major security flaw was uncovered in the OpenSSL encryption and secure communications library. OpenSSL is a widely used component of many websites and servers, including the popular Apache and NginX web servers.
The vulnerability comes from a simple software bug that allows attackers to fetch private information from the server memory, possibly including private keys, account information and passwords. This attack, known as Heartbleed, can be used to obtain private information without leaving a trace on the target server.
InfoExpress and Heartbleed
We are pleased to announce that no InfoExpress products are affected by Heartbleed. That includes all current and previous versions of all InfoExpress products.
Customers with questions can contact InfoExpress Support through their normal support channels.
As a Senior Systems Engineer you will be expected to work autonomously on a number of projects related to our client's corporate infrastructure. As the senior technical resource on a small team, you will be responsible for the overall architecture, design, implementation and 3rd level support of the latest InfoExpress technologies, in an environment that requires a high level of specialized technical skill.
Providing Pre-sales support of company products/systems globally
Participating in 3rd level post-sales responsibility for solutions knowledge transfer, deployment, implementation and design support
Conducting online presentations/webcasts to potential customers
Taking ownership of the consultative aspects of the POC process, installing and demonstrating InfoExpress BYOD and NAC solutions to meet the customers' success criteria
Assisting in writing technical tender / bid response where required
Participating in trade shows, seminars, and other industry events
Participating in some Professional Services activities
Working closely with account executives throughout the sales process
5+ years of experience in pre-sales and post-sales support of networking solutions, and 10+ years in IT
Fundamentally solid understanding of layer 1, 2 and 3 networking
Proficiency in LAN switch and wireless solutions
Experience with Windows and mobile devices
Solid knowledge of protocols including 802.1x, 802.11, TCP/IP, ARP, DHCP, NAT, and firewall protocols
Strong interest in security and willingness to learn
Ability to travel to customer sites as needed (typically < 25%)
Strong communication skills
Ability to work both in a team and leading a team
Fast responses to the international sales teams
Fluent in English (spoken & written)
Knowledge of Alcatel Lucent and Cisco switches and wireless controllers
Experience deploying BYOD and NAC
Knowledge of MacOS X, iOS and Android
Very Competitive, and is based on experience.
Ottawa, Ontario or Annapolis Valley, Nova Scotia
InfoExpress has provided network access control solutions since 2000. At the core of InfoExpress' solution is the award winning Dynamic NAC Software Suite, which ensures endpoints are safe and compliant with security policies by performing real-time audits and quarantining of all network-attached endpoints. InfoExpress products have received numerous awards for their innovation. The privately held company is headquartered in Mountain View, California.
For more information or to apply, please contact Mike Bobbitt.
InfoExpress is pleased to announce the release of CyberGatekeeper V6.1. Specific release notes for each component are outlined below. InfoExpress recommends that customers consider upgrading to V6.1 when practical to enjoy the added features and improved performance of this release.
CyberGatekeeper Server Release Notes
Added support for Not Desire tests
Handles large numbers of simultaneous reaudits faster
Improved internal processes
Improved hard drive performance
Added option for server license
Improved Dynamic NAC enforcement
Added support for subnets behind NAT routers
Checks to ensure enforcers have filter drivers
Improved diagnostics to monitor traffic and processes
Added logging download options
Fixed a security issue that could allow an agent that passes audit to bypass subsequent periodic keepalive checks
Fixed a bug where the server fails to send a SNMP trap on policy upload
Fixed bugs that caused incorrect Total Audited Systems and endpoints
Fixed a bug where agents could not connect to the server due to fragmented audit data
Fixed a bug that caused incorrect policy date to appear in the overview
Fixed bugs with resync access log frequency and format
Fixed bug with audit log formats
Fixed online help text for white list comments section
Fixed a bug that would cause removal of white list comments when switching to manual mode
CyberGatekeeper Policy Manager Release Notes
Enhanced the web agent to work on Firefox 3
Added an OS check to the default web agent launch page. The page now displays an error message for users on non-Windows operating systems
Added agent self-monitoring, to limit DNAC enforcers to the most reliable end systems
Added a feature to prevent systems from being quarantined by DNAC during an agent upgrade
Added a feature to allow users to right click on a policy rule to change the rule type
Simplified navigation - now users may double click on a test to open or edit it
Added a separate interface for configuring remediation messages and actions
Added support for the new NotDesire rule type. Note that NotDesire rules require Policy Server 6.1 or newer. Older policy servers will completely ignore these tests
Improved the agent so that it would receive a complete list of DNAC friends within seconds of passing the audit (rather than minutes)
Fixed a bug where the agent could inadvertantly try to connect to a network share when performing a file test that used a non-existant registry value as the base directory
Fixed a bug where CGA for Linux crashes when working with some policies
Fixed a bug where CGPM crashes after changing rule type
Fixed a bug where the WSC plug-in could cause the RPC service to leak memory
Fixed several bugs that limited web agent use on Windows Vista
Fixed a bug where the force audit option did not work on Windows Vista
Fixed a bug where the agent appears to install correctly when run by a limited user. The installer now displays a proper failure message
Fixed several bugs where a DNAC enforcer could interfere with unenforced systems
Fixed a bug where the BigFix plug-in could trigger unnecessary audit updates or failures
Fixed a bug where the enforce white list option could cause all systems with the IM driver to hang
Fixed two bugs where enforcers would not respond correctly to queries for non-existent systems
Fixed a bug where endpoints could be quarantined when a new policy was uploaded
Fixed a problem where the agent install could abort on an unactivated Windows Vista system
Fixed a bug where the agent could stop auditing after an aborted shut down attempt
Fixed a bug where a DNAC enforcer could behave unpredictably if the subnet mask (and only the subnet mask) was changed
Vista: Agent does not support hibernate/suspend when running on VMWare
Vista: Only the 802.1x helper plugin is supported - other plugins will not install
Vista systems cannot become DNAC enforcers
Systems with multiple IP addresses cannot be enforcers
On upgrading an older version of CGPM, the new DNAC and IM components will be enabled for existing agents. If these are not desired, they must be manually disabled.
Reporting and Management Server Release Notes
Optimized and improved log insertion and report performance. Database schema is enhanced to improve performance.
Added DNAC support for devices/subnet behind the NAT
Added whitelist comments in DNAC configuration screens
Enhanced Report Filter to allow users to retrieve reports given Search Attribute, Value, Data
Enhanced Statistics by Day and Application Monitor reports with log synchronization
Enhanced Centralized Dynamic NAC to include basic settings controlling the DNAC health check. This is only available in internal reserved mode (expert level)
Added a mechanism to control what data is reported as the user name for each end system. This feature would set a special registry value as the primary source for the reported user name for an end system
Removed the 'Export' button from the End System report
Removed Monitored End Systems report
Fixed a bug where Event Details report omits long data strings
Fixed a bug that default web page link is blocked by IE on Windows 2003. Changed the URL link to use 'localhost' instead of '127.0.0.1'
Fixed a bug where event details report omits long data strings
SQL 2005 server requirement: if Microsoft SQL 2005 server is used, it requires Version 9.00.3042.00 or above in order to show Statistics by Day report properly
Obtaining the Update
Customers with current Support and Maintenance contracts can contact InfoExpress support by sending an e-mail to email@example.com or calling 613 727 2090 and asking for CyberGatekeeper Support.