TABLE OF CONTENTS
- 1. SSL Certificate related issues:
- 2. TLS Version 1.1 Protocol Detection:
- 3. TLS Version 1.0 Protocol Detection:
- 4. SSL Version 2 and 3 Protocol Detection:
- 5. DOM-based Cross Site Scripting Vulnerability:
- 6. SSH security related issues:
- 7. HTTP OPTIONS Method Enabled [Port 3636]:
- 8. Any issue related to TLS/SSL ciphers:
- 9. ICMP timestamp response:
- 10. TCP timestamp response:
- 11. Remote server is vulnerable to SSL/TLS BREACH vulnerability:
- 12. HTTP Public key Pinning is not implemented:
- 13. jQuery Update:
- 14. Customer asking for default HySecure SSH credentials :
- 15. Integrate SNMP with HySecure:
- 16. To create a snmp v3 user in Hysecure:
- 17. To create a low privilege user in HySecure:
- 18. To remove nginx version number:
- 19. Insecure Configuration Management: Default Spark View Content
- 20 Accops HySecure Security Architecture:
- 21. Outdated NGINX version:
- 22. Web Application Potentially Vulnerable to Clickjacking
- 23. Certificate related points on port 636 and 389 for LDAP:
- 24. Upgrade NGINX to v1.24.0:
- 25. Outdated Jquery:
- 26. NGINX header and version observed in response header:
- 27. HTTP Strict Transport Security not implemented:
- 28. Weak Cache control header:
- 29. Weak Content Security Policy:
- 30. HySecure Compliance checklist:
- 31. Disable port 389 for ADS:
1. SSL Certificate related issues:
Solution: Apply a valid SSL certificate signed by a proper CA or scan the g/w by using FQDN.
2. TLS Version 1.1 Protocol Detection:
Solution: Disable TLS 1.1 from HySecure management console. Ask for wireshark trace if customer still reports.
3. TLS Version 1.0 Protocol Detection:
Solution: Disable TLS 1.0 from HySecure management console. Ask for wireshark trace if customer still reports.
4. SSL Version 2 and 3 Protocol Detection:
Solution: Disable SSL v2&3 from HySecure management console
5. DOM-based Cross Site Scripting Vulnerability:
Comment to be given: It seems that the scanner has done the static analysis of the js file which is reported in the VAPT report. This might be a false positive. Need more information on how this can be exploited. Please provide proper steps so that we can reproduce this on our side.
6. SSH security related issues:
Solution:
Replace the below configurations with existing one in /etc/ssh/sshd_config
Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr
MACs umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Command to restart SSHd : [systemctl restart sshd]
Keep the current terminal open and test the SSH login with new terminal.
Note: Take backup of existing sshd_config file
7. HTTP OPTIONS Method Enabled [Port 3636]:
Solution: Add port 3636 in /home/fes/iptables.sh script and execute it.
8. Any issue related to TLS/SSL ciphers:
Solution: Enable the strong ciphers from management console
Only keep below 2 cipher suites enabled from management console
ECDHE_RSA_AES256_GCM_SHA384
ECDHE_RSA_AES128_GCM_SHA256
If any issue is observed in HySecure after enabling only above 2 ciphers then keep below 4 cipher suites enabled to solve the issue
ECDHE_RSA_AES256_GCM_SHA384
RSA_AES256_GCM_SHA384
ECDHE_RSA_AES128_GCM_SHA256
RSA_AES128-GCM-SHA256
9. ICMP timestamp response:
Solution: Run below two commands to disable ICMP timestamp response
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
10. TCP timestamp response:
Solution: Run below two commands to disable TCP timestamp response
echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf
sysctl -p /etc/sysctl.d/tcp_timestamps.conf
11. Remote server is vulnerable to SSL/TLS BREACH vulnerability:
Solution: Add below lines at the very bottom of the /etc/httpd/conf/httpd.conf
#Breach attack Mitigation
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0678 no-gzip
BrowserMatch \bMSIE gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|zip|gz|tgz|htc|svg+xml|svg|svgz)$ no-gzip dont-vary # BREACH migitation
SetEnvIfNoCase Referer .* self_referer=no
SetEnvIf self_referer ^no$ no-gzip
Header append Vary User-Agent env=!dont-vary
12. HTTP Public key Pinning is not implemented:
Comment: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
13. jQuery Update:
Solution: jQuery is updated to v3.5.0 from v5299 of HySecure. It has no vulnerabilities till date.
14. Customer asking for default HySecure SSH credentials :
Comment: Providing SSH credentials of HySecure Server is against the policy of Accops and not permitted to be shared and/or used in any case other than critical Support escalations. Like any other security product, Accops Hysecure works on a hardened operating system, and we don't allow shell access due to security reasons. Some of the reasons are as below:
1. Prevent an attacker with stolen credentials from running a malicious program or commands.
2. Prevent legitimate users from performing dangerous operations by accident like opening firewall rules.
3. Prevent legitimate users from inadvertently running programs that would otherwise interfere with the legitimate services running on a host.
Disclaimer
Accops shall not be responsible in the event of service disruptions caused due to modifications to the system or any modification done by any third-party tool.
Alternate Solution:
An alternate solution for this would be to perform a blackbox scan and use the scanner to scan HySecure's web application [HyLite portal] surface aggressively instead of scanning the OS.
A grey box test can also be performed as user credentials (HyLite) can be used during the scan to provide elevated user access/authentication.
15. Integrate SNMP with HySecure:
Steps: To integrate SNMP with hysecure follow steps mention in below document. Refer point 2 in the doc.
HySecure SNMP Configuration guide with Zabbix.pdf
16. To create a snmp v3 user in Hysecure:
Commands:
# systemctl stop snmpd
Replace the snmp.conf file as mentioned in snmp document in point 20.
Command to create v3 user
# net-snmp-create-v3-user -ro -A <desired_password> -a SHA -X <desired_password> -x AES <new snmp user name>
Restart snmpd service : systemctl start snmpd
17. To create a low privilege user in HySecure:
Commands:
# adduser <username>
# passwd <username>
Add newly created username in /etc/ssh/sshd_config file after vpnsadmin
Allowusers vpnsadmin <new_user_created>
18. To remove nginx version number:
Solution: In /etc/nginx/nginx.conf add the below flag in "http{}" section:
server_tokens off;
Restart the nginx service : systemctl restart nginx
19. Insecure Configuration Management: Default Spark View Content
Solution: Remove the HTML5 directory from /home/fes/public/portal
Command: mv -rf /home/fes/public/portal/html5 /home/vpnsadmin/
20 Accops HySecure Security Architecture:
Link : Accops HySecure Security Architecture v3.pdf
21. Outdated NGINX version:
Steps:
1. Take Putty & WinSCP access of all the nodes of gateway.
2. Download nginx rpm file from below link,
3. Login into WinSCP and paste the nginx-rpms-final.tgz file into all the nodes
4. Login into Putty, Enter below command,
# tar xzf nginx-rpms-final.tgz
5. Go to the nginx-rpms directory.
# cd nginx-rpms/
6. Run script from the below command.
# sh script.sh
7. Verify Nginx version.
# nginx -v
8.Repeat these steps in all the nodes.
22. Web Application Potentially Vulnerable to Clickjacking
Comment: Accops already has multiple compensatory controls to mitigate risk of Cross-site scripting and Clickjacking attacks including HTTP headers like Xss-Protection, X-FRAME-OPTIONS.
You can test your website on below link:
23. Certificate related points on port 636 and 389 for LDAP:
Solution : Download this script -> ldap_cert_change.sh
- Assign the execute permission (chmod +x ldap_cert_change.sh)
- Run the script on hysecure server (./ldap_cert_change.sh)
- Restart the SLAPD service (systemctl restart slapd)
24. Upgrade NGINX to v1.24.0:
Steps :
1.. Download the ZIP file from below link.
https://propalmsnetwork-my.sharepoint.com/:u:/g/personal/rohan_takke_accops_com/EX4HKOmPOyZMoyPJ6QASpEIBajqs1kMx5G0Cz_zsdeyPxQ?e=fbL43U
2. Upload the ZIP on HySecure server.
3. Unzip the file (unzip nginx1.24.zip)
4. Go to nginx1.24 directory
5. Change the permission of the update.sh script (chmod +x update.sh)
6. Run the script (./update.sh)
7. Nginx will be upgraded to latest stable version 1.24.0
25. Outdated Jquery:
Comments: Fixed in HySecure SP5 (Service Pack 5)
26. NGINX header and version observed in response header:
Comments: Fixed in HySecure SP5 (Service Pack 5) + COS7 Hotfix
27. HTTP Strict Transport Security not implemented:
Comments: Fixed in HySecure SP5 (Service Pack 5)
28. Weak Cache control header:
Comments: Cache-control: no-store & Pragma: no-cache is implemented from HySecure SP5 onwards.
29. Weak Content Security Policy:
Comments: Accops HySecure already maintains a well-defined and secure Content Security Policy (CSP) from HySecure vSP5 onwards. This policy is meticulously configured to regulate the sources from which content is loaded when web pages are rendered in a browser. We dont use unsafe-inline in unsafe-eval in CSP. Accops HySecure has all the mitigations in place against vulnerabilities like XSS , Clickjacking etc.
30. HySecure Compliance checklist:
Link to sheet:HySecure Compliance Checklist.xlsx
31. Disable port 389 for ADS:
Solution:
1. Take backup of the /usr/lib/systemd/system/slapd.service file and open in editor
2. Remove this ldap:/// from the file
3. As shown in below image , keep only ldaps:///
4. Reload daemon [systemctl daemon-reload]
5. Save the file and restart the slapd service [systemctl restart slapd]