TABLE OF CONTENTS

1. SSL Certificate related issues: 

Solution: Apply a valid SSL certificate signed by a proper CA or scan the g/w by using FQDN. 


2. TLS Version 1.1 Protocol Detection: 

Solution: Disable TLS 1.1 from HySecure management console. Ask for wireshark trace if customer still reports. 


3. TLS Version 1.0 Protocol Detection:

Solution: Disable TLS 1.0 from HySecure management console. Ask for wireshark trace if customer still reports.


4. SSL Version 2 and 3 Protocol Detection: 

Solution: Disable SSL v2&3 from HySecure management console 


5. DOM-based Cross Site Scripting Vulnerability: 

Comment to be given: It seems that the scanner has done the static analysis of the js file which is reported in the VAPT report. This might be a false positive. Need more information on how this can be exploited. Please provide proper steps so that we can reproduce this on our side. 


Solution: 

Replace the below configurations with existing one in /etc/ssh/sshd_config

 

Ciphers [email protected],aes256-ctr,[email protected],aes128-ctr,aes192-ctr
MACs [email protected]
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256 

   

Command to restart SSHd :  [systemctl restart sshd]


Keep the current terminal open and test the SSH login with new terminal. 


Note: Take backup of existing sshd_config file 


7. HTTP OPTIONS Method Enabled [Port 3636]:  

SolutionAdd port 3636 in /home/fes/iptables.sh script and execute it.  

image
 

Solution: Enable the strong ciphers from management console 

Only keep below 2 cipher suites enabled from management console

ECDHE_RSA_AES256_GCM_SHA384 

ECDHE_RSA_AES128_GCM_SHA256 


If any issue is observed in HySecure after enabling only above 2 ciphers then keep below 4 cipher suites enabled to solve the issue


ECDHE_RSA_AES256_GCM_SHA384 

RSA_AES256_GCM_SHA384 

ECDHE_RSA_AES128_GCM_SHA256 

RSA_AES128-GCM-SHA256 


9. ICMP timestamp response: 

Solution: Run below two commands to disable ICMP timestamp response 

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP 

iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP 

 

10. TCP timestamp response:

Solution: Run below two commands to disable TCP timestamp response 

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf 

sysctl -p /etc/sysctl.d/tcp_timestamps.conf 


11. Remote server is vulnerable to SSL/TLS BREACH vulnerability:

Solution: Add below lines at the very bottom of the /etc/httpd/conf/httpd.conf 

#Breach attack Mitigation 

SetOutputFilter DEFLATE 

BrowserMatch ^Mozilla/4 gzip-only-text/html 

BrowserMatch ^Mozilla/4\.0678 no-gzip 

BrowserMatch \bMSIE gzip-only-text/html 

SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|zip|gz|tgz|htc|svg+xml|svg|svgz)$ no-gzip dont-vary # BREACH migitation 

SetEnvIfNoCase Referer .* self_referer=no 

SetEnvIf self_referer ^no$ no-gzip 

Header append Vary User-Agent env=!dont-vary 



12. HTTP Public key Pinning is not implemented:

Comment: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. 

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning 


13. jQuery Update:

Solution: jQuery is updated to v3.5.0 from v5299 of HySecure. It has no vulnerabilities till date.


14. Customer asking for default HySecure SSH credentials :

Comment: Providing SSH credentials of HySecure Server is against the policy of Accops and not permitted to be shared and/or used in any case other than critical Support escalations. Like any other security product, Accops Hysecure works on a hardened operating system,  and we don't allow shell access due to security reasons. Some of the reasons are as below: 

1. Prevent an attacker with stolen credentials from running a malicious program or commands. 

2.  Prevent legitimate users from performing dangerous operations by accident like opening firewall rules. 

3. Prevent legitimate users from inadvertently running programs that would otherwise interfere with the legitimate services running on a host. 

Disclaimer

Accops shall not be responsible in the event of service disruptions caused due to modifications to the system or any modification done by any third-party tool. 


Alternate Solution

An alternate solution for this would be to perform a blackbox scan and use the scanner to scan HySecure's web application [HyLite portal] surface aggressively instead of scanning the OS. 

A grey box test can also be performed as user credentials (HyLite) can be used during the scan to provide elevated user access/authentication.


15. Integrate SNMP with HySecure:

Steps: To integrate SNMP with hysecure follow steps mention in below document. Refer point 2 in the doc. 

HySecure SNMP Configuration guide with Zabbix.pdf 


16. To create snmp v3 user in Hysecure:

Commands

# systemctl stop snmpd 

Replace the snmp.conf file as mentioned in snmp document in point 20. 

Command to create v3 user 

# net-snmp-create-v3-user -ro -A <desired_password> -a SHA -X <desired_password> -x AES <new snmp user name> 

Restart snmpd service : systemctl start snmpd 


17. To create a low privilege user in HySecure:

Commands: 

# adduser <username>  

# passwd <username>  

Add newly created username in /etc/ssh/sshd_config file after vpnsadmin 

Allowusers vpnsadmin <new_user_created> 


18. To remove nginx version number:

Solution: In /etc/nginx/nginx.conf add the below flag in "http{}" section: 

server_tokens off;


image

image
Restart the nginx service : systemctl restart nginx  


19Insecure Configuration Management: Default Spark View Content

Solution: Remove the HTML5 directory from /home/fes/public/portal

Command:  mv -rf /home/fes/public/portal/html5 /home/vpnsadmin/    


20 Accops HySecure Security Architecture:

Link : Accops HySecure Security Architecture v3.pdf 


21. Outdated NGINX version:

Steps: 

1. Take Putty & WinSCP access of all the nodes of gateway.

2. Download nginx rpm file from below link,

https://propalmsnetwork-my.sharepoint.com/:u:/g/personal/saheb_mathur_accops_com/Edn68Fy0F1NJlGOpze0Ep4AB_iC5gktdEOU8mCWYMQm7rQ?e=zJCLQO

3. Login into WinSCP and paste the nginx-rpms-final.tgz file into all the nodes

4. Login into Putty, Enter below command, 

# tar xzf nginx-rpms-final.tgz

5. Go to the nginx-rpms directory.

    # cd nginx-rpms/

6. Run script from the below command.

# sh script.sh

7. Verify Nginx version.

# nginx -v

8.Repeat these steps in all the nodes.


22. Web Application Potentially Vulnerable to Clickjacking

Comment: Accops already has multiple compensatory controls to mitigate risk of Cross-site scripting and Clickjacking attacks including HTTP headers like Xss-Protection, X-FRAME-OPTIONS.


You can test your website on below link:

https://clickjacker.io/


Solution : Download this script -> ldap_cert_change.sh 

  • Assign the execute permission (chmod +x ldap_cert_change.sh)
  • Run the script on hysecure server (./ldap_cert_change.sh
  • Restart the SLAPD service (systemctl restart slapd)


24. Upgrade NGINX to v1.24.0:

Steps : 

1.. Download the ZIP file from below link.

https://propalmsnetwork-my.sharepoint.com/:u:/g/personal/rohan_takke_accops_com/EX4HKOmPOyZMoyPJ6QASpEIBajqs1kMx5G0Cz_zsdeyPxQ?e=fbL43U
2. Upload the ZIP on HySecure server.
3. Unzip the file (unzip nginx1.24.zip)
4. Go to nginx1.24 directory
5. Change the permission of the update.sh script (chmod +x update.sh)
6. Run the script (./update.sh)
7. Nginx will be upgraded to latest stable version 1.24.0 


25. Outdated Jquery:

Comments: Fixed in HySecure SP5 (Service Pack 5)


26. NGINX header and version observed in response header:

Comments: Fixed in HySecure SP5 (Service Pack 5) + COS7 Hotfix


27. HTTP Strict Transport Security not implemented:

Comments: Fixed in HySecure SP5 (Service Pack 5)


28. Weak Cache control header:

Comments: Cache-control: no-store & Pragma: no-cache is implemented from HySecure SP5 onwards.


29. Weak Content Security Policy:

Comments: Accops HySecure already maintains a well-defined and secure Content Security Policy (CSP) from HySecure vSP5 onwards. This policy is meticulously configured to regulate the sources from which content is loaded when web pages are rendered in a browser.  We dont use unsafe-inline in unsafe-eval in CSP. Accops HySecure has all the mitigations in place against vulnerabilities like XSS , Clickjacking etc.


30. HySecure Compliance checklist:

Link to sheet:HySecure Compliance Checklist.xlsx 

 

31. Disable port 389 for ADS:

Solution:


1. Take backup of the /usr/lib/systemd/system/slapd.service file and open in editor

2. Remove this ldap:/// from the file 

3. As shown in below image , keep only ldaps:///

4. Reload daemon [systemctl daemon-reload]

5. Save the file and restart the slapd service [systemctl restart slapd]