TABLE OF CONTENTS
- 1. Server supports Transport Layer Security (TLSv1.0)
- 2. Missing security headers:
- 3. Deprecated SSH Cryptographic Settings
- 4. Log4j Issue
- 5. Updating outdated OS Packages
Note: It is highly recommended to update ARS to v1.08 before performing any VAPT
1. Server supports Transport Layer Security (TLSv1.0)
Solution: Update ARS to 1.08 and add below entry in /etc/kibana/kibana.yml
server.ssl.supportedProtocols: ["TLSv1.2"]
2. Missing security headers:
Solution: Add below lines in /etc/kibana/kibana.yml and restart the kibana service (systemctl restart kibana)
Note : ARS should be updates to 1.08
server.customResponseHeaders: {
"X-Frame-Options": "SAMEORIGIN",
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "frame-ancestors 'self'",
"Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload"
}
3. Deprecated SSH Cryptographic Settings
Solution : Replace the below configurations with existing one in /etc/ssh/sshd_config.
If you dont see this configuration then add it at the bottom of the file.
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,umac-64@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms diffie-hellman-group14-sha1,curve25519-sha256
Restart ssh service : systemctl restart sshd
4. Log4j Issue
Soution: Refer below link and follow the mentioned steps :
https://blogs.accops.com/apache-log4j2-log4shell-rce-vulnerability-cve-2021-44228/
NOTE:
There are chances that scanner might detect the issue again even after applying the fix:
In this case share below writeup with customer for justification:
"""
The Apache Log4j version used in ARS was affected by log4j vulneribility due to the vulnerable class "JndiLookup.class". Hence we have completely removed the mentioned class in the fix.
Scanner has not tested for these issues but has instead relied on the version number it has detected for the log4j and hence reported the issues.
You can run below command to verify the presence JndiLookup.class (normally should not give any output after applying fix):
unzip <jar file path> | grep JndiLookup
"""
5. Updating outdated OS Packages
Solution:
1. Take snapshot of the ARS
2 Enable internet on ARS
3. Run the command : yum update --exclude=nodejs*
4. Reboot the machine
If internet is not available on ARS
If the customer is unable to enable internet access on the ARS machine and requests offline packages, the following information will be needed from the customer:
- The exact names of the packages flagged by the scanner [This is case sensitive, so the package names must match those identified by the scanner precisely].
The above details are required because the script we use to provide the offline packages to the customer take txt file with the list of packages names.