Splunk 6.4.2 (and back to 6.2.1) has the following issues:
1. "[sslConfig]" stanza with parameter setting "enableSplunkdSSL = true" is ignored by mongod and sets Mongod parameter "sslMode" to "preferSSL" instead of "requireSSL".
2. "[sslConfig]" stanza, with parameter setting "cipherSuite" is ignored for the Mongod parameter "sslCipherConfig".
3. Mongod parameter "sslDisabledProtocols" should be set to the INVERSE of the value in $SPLUNK_HOME/etc/system/local/server.conf, "[sslConfig]" stanza, setting "sslVersions" when set. This is currently ignored.
4. The Splunk OpenSSL Libraries should be built with the macro OPENSSL_NO_COMP to eliminate the CRIME vulnerability in OpenSSL. This as mongod has no provision to explicitly disable compression.
Without the above, Nessus flags the Mongod port with:
NESSUS FINDING #1:
Plugin Plugin Name Severity IP Address Port DNS Name
20007 SSL Version 2 and 3 Protocol Detection Medium xxx.xxx.xxx.xxx 8191 Hostname
Plugin Text:
Synopsis: The remote service encrypts traffic using a protocol with known weaknesses.
Description: The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0, which reportedly suffer from several cryptographic flaws. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
NIST has determined SSL v3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'.
Solution: Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.0 or higher instead.
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Plugin Output:
- SSLv3 is enabled, and the server supports at least one cipher.
Plugin Publication Date: 2005/10/12
Plugin Modification Date: 2015/03/02
Plugin Type: remote
Source File: ssl_deprecated.nasl
NESSUS FINDING #2:
Plugin Plugin Name Severity IP Address Port DNS Name
62565 Transport Layer Security (TLS) Protocol Medium xxx.xxx.xxx.xxx 8191 Hostname
CRIME Vulnerability
Plugin Text:
Synopsis: The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description: The remote service has one of two configurations that are known to be required for the CRIME attack :
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the remote service.
Solution: Disable compression and / or the SPDY service.
Risk Factor: Medium
CVSS Base Score: 4.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Temporal Score: 3.7
CVSS Temporal Vector: CVSS2#E:ND/RL:OF/RC:C
Plugin Output:
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :
- SSL / TLS compression is enabled.
CVE: CVE-2012-4929, CVE-2012-4930
BID: 55704, 55707
Crossref: OSVDB #85926, OSVDB #85927
Vulnerability Publication Date: 2012/09/15
Plugin Publication Date: 2012/10/16
Plugin Modification Date: 2014/09/26
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: remote
Source File: ssl_crime.nasl
↧