Deep scanning your deployment

Not a one-time action

In my previous post I wrote about some automation of static and dynamic scanning as part of the software delivery pipeline.

However nothing stays the same; we find new vulnerabilities or configurations are broken or stuff previously considered secure is now weak (64bit ciphers can be broken, for example).

So as well as doing your scans during the development cycle we also need to do repeated scans of deployed infrastructure; espcially if it’s externally facing (but internal facing services may still be at risk from the tens of thousands of desktops in your organisation).

In this spirit I decided to scan this server using OpenVAS and that was installed as part of the the Kali Linux build. OpenVAS can also call other tools (eg Nikto, that I mentioned previously).

Now I’d done this back in May and got a single “low level” message about TCP timestamps, so I didn’t expect to see anything new. Timestamps

So let’s do a run:

First run

Well, damn! That’s not right! I get an A+ on ssllabs tests (more on that in a later post). What’s going on?

SSL protocols

Weak ciphers

Oh… port 563? That’s NNTPS. Oh! I’d recently installed an SSL news server on this machine! And it seems the defaults aren’t so secure.

So I dig into the manual page to work out how to disable SSLv2, SSLv3 and also to set the cipher suite to match that of my apache server.

At the same time I told OpenVAS to update its libraries of known threats and issues. A scanner with an stale database isn’t really much use, and OpenVAS has an update mechanism, with advisories being fed from DFN-CERT. This is pretty impressive, all the more so that it’s free.

So, problem solved, right?

Second run

Damnit! Now my web server is also being flagged! And a new DH issue. Interestingly the TCP Timestamp issue has gone away; maybe that was no longer really considered a problem. Evaluations change.

So what is weak… More weak ciphers

Now this is annoying. The values reported here don’t match the config entries used by OpenSSL.

Are these weak? The nmap -p 443 hostname --script +ssl-enum-ciphers routine reports those entries in the output and considers them strong. As we’ve seen, though; evaluations can change. This is why a scanning tool needs update abilities. I’m more likely to believe the OpenVAS “weak” report as being newer and more accurate than the builtin nmap rules that RedHat won’t have updated in forever.

Now my SSL configuration included entries that mentioned DES:

ECDHE-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
!DES

This was to allow IE6 to talk to my site. But let’s remove the three entries and run again. Same result! Still an error.

Some more digging and it seems that the bad entries were brought in with the HIGH setting. So now we needed

HIGH
!EDH-RSA-DES-CBC3-SHA
!DES-CBC3-SHA

The ECDHE entry I’d previously removed wasn’t at fault. That’s elliptical curve. If only the output of the “weak ciphers” test and the configuration options matched!

Third run

Woohoo! Now all the cipher problems have been solved.

Umm, there’s a downside to this. IE6 and IE8 can no longer reach my site. Do I care? According to a browser market share report IE8 is under 4% of usage. I can live with that.

Browser breakdown

But what about this DH issue? I looked into the server code and it seems to respond with different key sizes depending on the block size. I’m not sure the code is correct, but I’m not an SSL expert here. However this is a “low value” service; the data transported is passed in clear text on port 119 and the username/passwords used to access this server may also be used in plain text on 119. So I took the decision to “accept the risk” and entered an override for my servers for this issue on this port, reducing the severity to “Log”

DH

The final result is a score of zero! Yay!

Final result

Notice those 36 log entries. Now some of these may be worth looking at.

Log entries

Here’s our override, as a log entry. There’s also an entry claiming HSTS isn’t present. Which is a lie! So let’s look at this:

HSTS

Ah! This is a response to a ‘bad request’ and it doesn’t see the HSTS header. But a real request does:

$ wget -O /dev/null --server-response https://www.sweharris.org/ 2>&1 | grep Stri
  Strict-Transport-Security: max-age=31536000; includeSubdomains

So we can see this is a false positive; I get an A rating for header security at securityheaders.io.

Lessons Learned

  • Keep scanning servers deployed to production; even if the app doesn’t change something else might
  • Keep your scanning tool databases up to date!
  • Different tools may report different evaluations for the same issue
  • Configuration parameters don’t match reported items
  • Sometimes you have to accept losing customers (IE8?) to be secure
  • Sometimes you can just accept the insecurity risk. That’s why we have “risk management” teams!

OpenVAS is a noisy scan (it flooded my Apache logs with probe attempts, caused multiple ssh failures, triggered firewall protection rules). In an enterprise environment you might want to white-list the traffic from your scanning servers so they don’t trigger SOC alerts and don’t flood out real alerting traffic. But despite this a full vulnerability scan is useful.

It definitely alerted me to a weakness on my server that I wasn’t aware of!