Security vulnerabilities?
-
What is the process of reporting security vulnerabilies? Or get confirmed that they is fixed in release?
Are going to put in pfsense in a PCI DSS environment and made a nessus scan. Got this results:
4/1/2014 Nessus / Scans / Hosts / Vulnerabilities
HIGH lighttpd < 1.4.34 Multiple Vulnerabilities
HIGH lighttpd < 1.4.35 Multiple Vulnerabilities
MEDIUM NTP monlist Command Enabled
MEDIUM SSL Certificate Cannot Be Trusted
MEDIUM SSL Certificate with Wrong Hostname
MEDIUM SSL SelfSigned Certificate
MEDIUM Web Server Allows Password AutoCompletion
LOW SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
LOW SSL RC4 Cipher Suites Supported
INFO Service Detection
INFO Nessus SYN scanner
INFO CGI Generic Injectable Parameter -
The only ones that are actually an issue are the LIGHTTPD ones; everything else you can fix with having an actual SSL cert or manual server configurations. Not sure of the procedure to patch the web server vulns without breaking anything… caveat being I'm also pretty new to Pfsense in general.
-
2.1.1 is coming soon (days at most) and contains a newer lighttpd
-
I am very impressed of your fast response to this. If we take it in production I will buy support from you guys.
SSL is of course fixed by using certs from our own CA. My main concern is 3things;
1.
HIGH lighttpd < 1.4.34 Multiple Vulnerabilities
HIGH lighttpd < 1.4.35 Multiple VulnerabilitiesMEDIUM Web Server Allows Password AutoCompletion (PCI-DSS variant)
Description
The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' is not set to 'off'.While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point.
Solution
Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.Output
Page : /
Destination Page: /index.phpPage : /index.php
Destination Page: /index.php
Port Hosts
443 / tcp / www
10.13. MEDIUMNTP monlist Command Enabled
Description
The version of ntpd on the remote host has the 'monlist' command enabled. This command returns a list of recent hosts that have connected to the service. As such, it can be used for network reconnaissance or, along with a spoofed source IP, a distributed denial of service attack.
SolutionIf using NTP from the Network Time Protocol Project, either upgrade to NTP 4.2.7-p26 or later, or add 'disable monitor' to the 'ntp.conf' configuration file and restart the service. Otherwise, contact the vendor.
Otherwise, limit access to the affected service to trusted hosts.
See Alsohttps://isc.sans.edu/diary/NTP+reflection+attack/17300
http://bugs.ntp.org/show_bug.cgi?id=1532
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613
OutputIf you can fix number 2 also it will be a fully PCI compliant device! More than your fellows Barracuda Networks can do ;) Number 3 counld be fixed by just disable the ntp service, but if you want… :)
-
1.
HIGH lighttpd < 1.4.34 Multiple Vulnerabilities
HIGH lighttpd < 1.4.35 Multiple VulnerabilitiesFixed in 2.1.1
MEDIUM Web Server Allows Password AutoCompletion (PCI-DSS variant)
Fixed by going to System > Advanced and checking "Disable webConfigurator login autocomplete"
3. MEDIUMNTP monlist Command Enabled
Fixed on 2.1.1
-
Awesome! As fast as 2.1.1 is released it going in to production in a PCI DSS environment. Not many appliances you can remove initial user as "admin", do comply with requirement "No vendor accounts" and just use AD-accounts instead. Great work you all! Any last tips about running it on virtual server as VMware?
-
Hi all
New scan of 2.1.1
Unfortunately some new one came up:
Not sure how to handle this, false positive?
CGI Generic Cross-Site Request Forgery Detection (potential)
DescriptionThe spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by random tokens, a common anti-cross-site request forgery (CSRF) protection. The web application might be vulnerable to CSRF attacks.
Note that :
- Nessus did not exploit the flaw,
- Nessus cannot identify sensitive actions – for example, on an online bank, consulting an account is less sensitive than transferring money.
You will have to audit the source of the CGI scripts and check if they are actually affected.
SolutionRestrict access to the vulnerable application. Contact the vendor for a patch or upgrade.
See Alsohttp://en.wikipedia.org/wiki/Cross-site_request_forgery
Output
The following CGIs are not protected by a random token :
/index.phpAnd then for the squid package that did not got any vulnerabilites before:
Squid 2.x / 3.x < 3.1.22 / 3.2.4 / 3.3.0.2 cachemgr.cgi DoS
DescriptionAccording to its banner, the version of Squid running on the remote host is 2.x or 3.x prior to 3.1.22 / 3.2.4 / 3.3.0.2. The included 'cachemgr.cgi' tool reportedly lacks input validation, which could be abused by any client able to access that tool to perform a denial of service attack on the service host. Note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.
SolutionEither upgrade to Squid version 3.1.22 / 3.2.4 / 3.3.0.2 or later, or apply the vendor-supplied patch.
Alternatively, restrict access to this CGI or limit CGI memory consumption via the host web server's configuration options.
See Alsohttp://www.squid-cache.org/Advisories/SQUID-2012_1.txt
Output
Version source : Server: squid/2.7.STABLE9
Installed version : 2.7.STABLE9
Fixed version : 3.1.22 / 3.2.4 / 3.3.0.2Squid 2.x / 3.x < 3.1.23 / 3.2.6 / 3.3.0.3 cachemgr.cgi DoS
DescriptionAccording to its banner, the version of Squid running on the remote host is 2.x or 3.x prior to 3.1.23 / 3.2.6 / 3.3.0.3. The included 'cachemgr.cgi' tool reportedly lacks input validation, which could be abused by any client able to access that tool to perform a denial of service attack on the service host.
Note this fix is a result of an incomplete fix for CVE-2012-5643.
Further note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.
SolutionEither upgrade to Squid version 3.1.23 / 3.2.6 / 3.3.0.3 or later, or apply the vendor-supplied patch.
Alternatively, restrict access to this CGI or limit CGI memory consumption via the host web server's configuration options.
See Alsohttp://www.squid-cache.org/Advisories/SQUID-2012_1.txt
Output
Version source : Server: squid/2.7.STABLE9
Installed version : 2.7.STABLE9
Fixed version : 3.1.23 / 3.2.6 / 3.3.0.3Squid 2.x / 3.x < 3.1.22 / 3.2.4 / 3.3.0.2 cachemgr.cgi DoS
DescriptionAccording to its banner, the version of Squid running on the remote host is 2.x or 3.x prior to 3.1.22 / 3.2.4 / 3.3.0.2. The included 'cachemgr.cgi' tool reportedly lacks input validation, which could be abused by any client able to access that tool to perform a denial of service attack on the service host. Note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.
SolutionEither upgrade to Squid version 3.1.22 / 3.2.4 / 3.3.0.2 or later, or apply the vendor-supplied patch.
Alternatively, restrict access to this CGI or limit CGI memory consumption via the host web server's configuration options.
See Alsohttp://www.squid-cache.org/Advisories/SQUID-2012_1.txt
Output
Version source : Server: squid/2.7.STABLE9
Installed version : 2.7.STABLE9
Fixed version : 3.1.22 / 3.2.4 / 3.3.0.2What you experts say?
-
bump :o
-
Bump again. I offer my Help to do Security scans of new releases, anyone intrested?
