How do you know it's a false-positive?

-Our own clients access to our own services were affected - only desktop applications, browser access was fine.
-No Endpoint security related issues are reported from our endpoint security stack.
-No issues are reported from the Microsoft security services used.
-Clients that pass through other IPS / Threat detection services than the Meraki / Snort combo report no similar issues.

I think there is some correlation to latest Exchange-server updates, where Microsoft recommended to activate Extended Protection. This changes a lot in the SSL configuation of the IIS. And maybe someone on snort tried to create a IDS rule to block this kind of attack and finally configured some bad preferences to identify a real attack instead of normal traffic to an IIS with SSL

We're also having issues with Windows Update and our Dell Command Update application as well.

Same issue with Windows Update. Outlook and OneDrive not working as well.

I had our MX84 set to detection temporarily from prevention, are you saying I could put back to prevention then turn on whitelist for Rule ID1-60381 ?  thanks

Hi JessIT1, I'm just waiting to hear if the IDS allow has worked for actual users...

Could you explain how to do that?

Thanks

Regards

If you have an MX100 then go to "Security & SD WAN" then "threat protection". Under "Intrusion detection and prevention", add a rule and search for "1:60381". Save changes.

You should read the Microsoft CVE and snort rule before doing this, so you can determine whether your environment is actually vulnerable to this exploit.

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2022-35748

https://snort.org/rule_docs/1-60381

Hi Rhodri,

Please I don´t were to put this rule. Dis you put by youself or you had to call meraki? Could you tell me where is this option? 

Thanks in advance.

Regards

Hi. Here you go...

https://community.meraki.com/t5/Security-SD-WAN/IPS-Snort-Microsoft-Windows-IIS-denial-of-service-at...

Is there a patch for Windows 10? The Microsoft CVE only refers to Windows Server operating systems.

I haven't found one as of yet. I've been looking. I checked my machine and only had this cumulative update available. KB5016616

To be totally honest, we just ran Windows Update and ensured all of the August 9th patches were applied.  While we thought this fixed the issue with the SNORT signature, it did not.  The client systems may appear to work for some time after the SNORT signature is enabled (Whitelist set to OFF), but the client systems will break after a reboot or after some time.

Keep Whitelist ON for now for SNORT Signature 1:60381

I applied this Whitelist ON change in all of our Meraki routers and it seems to have fixed our ability to remotely access their computers and Outlook and OneDrive.

The KB patch will not fix this, as the patch only prevents the exploit from working.

Blocking of legitimate traffic is simply a false positive. Until they update the rule it will always block legitimate TLS 1.2 handshakes that happen too frequently in accordance to how the rule is implemented.

Patch + whitelist is the only method that will work and keep us protected until meraki fixes the rule.

This is because the exploit mitigation rule targets too frequent TLS 1.2 hellos. Anything using TLS 1.2 could be blocked and some non-microsoft services were at my org according to the logs.

August 9, 2022—KB5016623 (OS Build 17763.3287) (microsoft.com)

Upon applying the rule it took a few minutes for it to take effect for my org. Within 5 minutes the whitelist was recognized and there were no more issues.

You get this working?

The patch only applies to servers. It won't prevent Meraki traffic being blocked from "endpoints that are leveraging TLS 1.2", as Microsoft put it.

I think we need to wait for Microsoft to close out the incident - MO411804. They're "engaging with their firewall partners" so presumably the snork rule will be corrected at some point.

Latest update on the MO411804 incident:

August 10, 2022 1:56 PM · Quick update
The firewall partner is currently reviewing options to remediate impact.

This quick update is designed to give the latest information on this issue.

I don't agree with the resolution of this issue from Meraki. 

Can you confirm that a 100% patched environment does not suffer from the false positive detections? A few people in this thread seem to have stated the false positive detections are still happening despite patching.

As I understand it the only way to be protected from this not yet seen in the wild exploit and still have TLS 1.2 working is to whitelist this rule and patch systems.

edit: I believe this is now resolved as the affected SNORT rule has been adjusted. At least one post here says this has resolved the issue after re-enabling the rule.

Agreed, I don't think this should be marked as solved just yet.

Edit: Sorry, I see it was only marked as solved for visibility, not actually considered solved.

You are correct. Patching does not prevent false positives and the blocking of traffic.

@Brandon123s  I totally agree.  The Microsoft vulnerability and IPS/SNORT post makes it sound like the issue is resolved or to call Meraki support.  It should be make clear at this time, that this is an active issue with no resolution.  The workaround is to whitelist the signature.

The advisory from Microsoft posted by @TMTECH is much closer to reality.

This isn't a solution. Patching endpoints does not prevent the offending traffic and it doesn't prevent it from being blocked.

You cannot currently fix the problem without either disabling IDS or by creating a rule.

Definitely not solved, fix/remove the snort rule please.

I left my sites on Prevention and just turned the Whitelist setting to ON for this and all of our problems disappeared (OneDrive app, Outlook app, Splashtop, Syncro remote access).

We've now got multiple MXs with IDS set to prevention and the whitelisting of Rule ID1-60381. All looks to be working OK now.

After adding whitelist for Rule ID 1-60381 it's showing null not sure if that means it's working.. however I turned IDS back to prevention just as a precaution, did not want to leave on detection, so far desktop Outlook staying connected, VPN connections not dropped.

Same here. It displays null, but everything is working.

Yeah, it says "null" after you apply it but it does work.

the CVE itself says there is no known exploits for this in the wild. The CVE is from yesterday and it's all about TLS 1.2 hellos.

Anything using TLS 1.2 could be affected here. Tons of companies use amazon AWS, so the above whois probably some vendor hosted service that people authenticate against.

I also have clients in my network connecting to similar aws compute resources and reporting the same thing. The traffic being blocked though is initiated by clients within my LAN, not from the outside. In your security center events log, are you seeing incoming traffic being blocked from that address?

Here's the first user that called me this morning -- these are addresses that were blocked with this SNORT rule. 

This is what I'm seeing today.

This is what I'm seeing.  What concerns me is that the majority are "unknown" affected OS's...

Meraki isn't great at determining the OS of each client unless you are 100% Meraki gear. 

Yes. That address is where the majority of the DoD events are coming from which is triggering the issue on our end. I've never seen this much traffic from AWS before and was wondering if anyone has seen something similar. I have emailed their abuse center for what it's worth.

Same. Rule is set to "whitelist" but shows as null. Others say it is working, but still showing blocked events for us.