Office 365 and Cisco Duo: Microsoft vulnerability and IPS/SNORT

PhilipDAth
Kind of a big deal
Kind of a big deal

Office 365 and Cisco Duo: Microsoft vulnerability and IPS/SNORT

We woke up this morning to clients unable to access Office 365 and Cisco Duo.  Cisco Meraki has posted about this in the community, but we can't reply with additional information because it is a service notice.  So you can do this here if you have other apps break.

https://community.meraki.com/t5/Meraki-Service-Notices/Microsoft-vulnerability-and-IPS-SNORT/ba-p/15... 

 

Cisco Duo was probably worse for us, as it prevented users from being able to log into their computers or access any corporate app.

 

If you are still experiencing this issue, turn IPS off, click save, and turn it back on again.  This will get you the new signature immediately.

 

 

Anyone else with apps that broke feel free to reply.

11 Replies 11
Mike6116
Getting noticed

Do we need to turn off both AMP and Intrusion detection and prevention ?

 

Mike6116_0-1660163893852.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Turning Intrusion detection off and on again is enough.

Network-Dude
Here to help

Thanks. The more information the better we will be off.

Mike6116
Getting noticed

ok, so turned  off and on after a few minutes, i did both  AMP and IDP   and all my broke apps started to work again,    in my case all the affected apps  are  in house devs,  so this issue may expand further than just MS apps.

Brash
Kind of a big deal
Kind of a big deal

Looking at the thread where this was initially reported, most users found disabling and re-enabling only briefly fixed the issue.

Most users changed IDS from protection to detection too work around the issue.

 

https://community.meraki.com/t5/Security-SD-WAN/IPS-Snort-Microsoft-Windows-IIS-denial-of-service-at...

lalogcab
New here

We saw multiple apps affected. Duo, Datto RMM, Infor, Microsoft, Anyconnect because it uses Azure AD to authenticate, etc... Hated the lack of information in Microsoft's incident and Meraki's posture, the impact of that rule should have been assessed correctly.

PhilipDAth
Kind of a big deal
Kind of a big deal

Turning IPS off and back on again does not appear to have fixed all of our customers.

 

I think I'll just turn IPS off for a couple of hours till the new signature updates roll out.

erhanevgin
Getting noticed

hello guys 

 

we got the below explanation from Meraki support engineer. actually, there is no enough information. but you can just take a look. 

 

https://community.meraki.com/t5/Meraki-Service-Notices/Microsoft-vulnerability-and-IPS-SNORT/ba-p/15...

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2022-35748


erhanevgin
Getting noticed

Also  you can see following popup on Meraki dashboard. 

 

10-Aug-2022: We have received reports of customers experiencing select Microsoft 365 service outages because of Snort rule 1-60381 blocking CVE-2022-35748. The Snort rules have been removed to reduce the impact. A fix has been pushed out at and any pending issues should auto-resolve by 3:00PM PST

Dee120
Conversationalist

We just tried a couple of apps about 10 minutes ago and No Joy!

Even though its way past 3 PM PST and they mentioned that no config changes are required, We are still unable to access those apps and our Security center is still shows numerous blocks to the same signature!

erhanevgin
Getting noticed

Hello @Dee120  unfortunately new announcement  is below 

 

'10-Aug-2022: We have received reports of customers experiencing select Microsoft 365 service outages because of Snort rule 1-60381 blocking CVE-2022-35748. The Snort rules have been removed to reduce the impact. A fix has been pushed out and any pending issues should auto-resolve by 6:00PM PST.'

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels