If you’ve recently received an AISI notification from SkyMesh about a potential service vulnerability, don’t panic.
The email you received would have contained information about the type of vulnerability detected on your system and a link to this guide.
We can confirm that the email is legitimate. You should take steps to secure your network. This guide will help you to do just that.
DDoS vulnerability notifications do not imply that devices on your network have been compromised, but they do mean that your service could be co-opted for use in a Distributed Denial of Service attack (DDoS). They come in three different types, and the fix for all three is the same – your router may need to be reconfigured. The types, and what they mean, are listed here:
We received a notification that a device connected to your public IP was responding to DNS queries on the open internet.
The notification that we received stated that a device connected to your public IP was hosting Portmap in an internet-facing connection. Portmap is a useful service on port 111/UDP, but if this service is not firewalled or blocked its possible that your network could be co-opted for use in a DDoS reflection/amplification attack.
The notification that we received stated that a device connected to your public IP was hosting the Simple Network Management Protocol (or SNMP) in an internet-facing connection. SNMP is a useful service on port 80, but this service should be prevented from accessing the Internet.
What to do: To address these vulnerabilities, you may need to investigate the configuration of your router, possibly with the support of the router’s manufacturer. If you purchased your router from SkyMesh, email email@example.com or call 1300 759 637 for further technical support.
POODLE (Padding Oracle on Downgraded Legacy Encryption) takes advantage of a vulnerability in SSL 3.0 which makes it possible for a hacker to obtain credentials for a secured connection. It is generally recommended that all secured connections use TLS 1.2 and that the use of SSL 3.0 is discontinued.
What to do: The best way forward is to check each of your services that might use SSL/TLS. Applications that use these forms of encryption will usually require an explicit instruction from you to disable SSLv3.
The emails will keep coming from the AISI until the problem is resolved. The emails usually arrive a day or two after the vulnerability is detected by CERT Australia.
We don’t look at the messages, we just pass them on, but we’ve found them to be very accurate based on past performance. If the AISI says that your Internet connection is vulnerable, we believe them.
Once you have secured your network, you may still get a few emails that were sent before you fixed the problem. It’s a good idea to check the detection date halfway through the AISI email. The date and time are in UTC (GMT+0) so you need to add the hours that correspond to your local time zone.
If you have any questions or concerns or need clarification, please email firstname.lastname@example.org or call us on 1300 759 637.
Descriptions for each of these vulnerabilities would not have been possible without information provided by CERT Australia and the Joint Cyber Security Centre.
You can read about the AISI’s daily vulnerability observations here.