CVE-2019-11510 / Sodinokibi Ransomware Protection

Solved
TestingGuy
Here to help

CVE-2019-11510 / Sodinokibi Ransomware Protection

How should I confirm that our MX with advanced security license are prepared to block malicious traffic from this ransomware?

 

Thanks,

/Christian

1 Accepted Solution


@rhbirkelund wrote:
I'll go out in a limb here and say; if there's a SNORT rule for that CVE, then it's handled by AMP.

A little bit of nitpicking here: if we're talking Snort it's handled by IDS/IPS, not AMP. 😉

View solution in original post

6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal

Is your MX running latest stable firmware and do you have the Advanced security license with AMP enabled?

 

I would maybe reach out to Meraki support for full confirmation?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
DarrenOC
Kind of a big deal
Kind of a big deal

This exploit targets Pulse Secure VPNs. Are your VPN servers patched to the latest firmware also?  This was how Travelex was brought to its knees.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Well, indeed, it's patched using the latest stable firmware, as usual. However, AMP and IPS (snort) features need regular updates to keep the device secure. It's not just a firmware update issue. I cannot confirm that Meraki's AMP handles CVE-2019-11510. Thanks!!

Yes, it has the lastest stable firmware (14,42) and advanced malware protection (AMP) is enabled. Ok, I will ask support. Thanks!!

rhbirkelund
Kind of a big deal

I'll go out in a limb here and say; if there's a SNORT rule for that CVE, then it's handled by AMP.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.


@rhbirkelund wrote:
I'll go out in a limb here and say; if there's a SNORT rule for that CVE, then it's handled by AMP.

A little bit of nitpicking here: if we're talking Snort it's handled by IDS/IPS, not AMP. 😉

Get notified when there are additional replies to this discussion.