Cisco CBC220 managed switch
Sophos XG Firewall
All devices on 1GB ethernet
Connected Audio Devices
Connected to SimAudio Moon 280D via ethernet
Number of Tracks in Library
About 4000 tracks
Description of Issue
Several months ago, I began receiving critical warnings from my firewall that the Roon Nucleus was attacking an outside server using the TLS1.2 Poodle CBC padding brute force attack. I had thought that it was a one time occurrence but it has been ongoing. It has occurred twice in the last couple of days where the Roon Nucleus will attack XXX.XXX.XXX.XXX (Cloudflare server). Last night it attacked this IP over 700 times. My firewall blocked it as per the screenshot below. I am concerned that either the Roon Nucleus has been compromised or there is a programming error causing it to launch brute force attacks.
Given that Roon’s cloud server’s are on Cloudflare, this might just be a false positive.
There have been many reports over the years of Roon attacking server’s or being attacked. Most turned out to be false positives
mjw
(Father! Father! Resist not! Let us destroy the core! Set us free!)
3
I think this is an example of a false positive.
For one, Roon cloud infrastructure runs on Cloudflare services, and second, the attack vector is old and affected SSL 3.0, TLS 1.0 and TLS 1.1 over a decade ago. No one uses these insecure versions nowadays.
Thank you for your post. While alarming, this is almost certainly a false positive. We’ve inspected various levels of remote diagnostic logging for the Nucleus in question and only see evidence of normal network traffic.
Certain intrusion detection systems or firewall rules will misinterpret Roon’s high-volume TLS handshakes as a brute force attack. As long as your Nucleus is behind your router firewall, then without access to your Roon account credentials, there’s no practical pathway for anyone to access or compromise the Nucleus itself.
