Pentest on Nethserver and vulnerabilities

Hello everyone, I ran a pentest with Openvas on my server. I use the policy 10/05/2020 and the test found vulnerabilities.

64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
I’ll stop here. Can anyone suggest me any Custom actions to take, clearly if necessary?

On
which
service
?

From the reports I see https tcp port 631 (I think cups).

Mitigation

1.SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuite should not be disabled on the server.
2. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES based ciphersuites.

@giacomo i don’t know if I’m bugging the right person but… it’s expected that CUPS comply with the TLS policy?

@france is expected that your installation allow CUPS available on RED or other interfaces?

Not exactly, the penteste I wanted to perform was just to test the system, the cups service runs only via LAN and in the future via VPN. Anyway, thank you -

Am i correct? You pentested the system from GREEN interface?

Yes, I wanted to do it for a simple test, also if I had to take a test from Wan I had to modify firewalls, fail2ban etc. In practice, a simple internal verification.

Uh, CUPS…is there someone who still using it out there? :stuck_out_tongue:

I’m working a little on some vulnerability tools (OpenVAS and Nessus) in the last few weeks and I saw many of such warning. Most of them can be ignored, especially for services exposed only inside the LAN.

TLS policy has been created mostly for public services, I do not think it’s necessary to enforce it for private networks.

@france if you want to improve CUPS security, try to set SSLOption, it should be something like (not tested):

SSLOptions MintLS1.2

More info at man cupsd.conf.

Please report back your findings :wink:

The “policy name” states some services where it’s applied…
Policy 2020-05-10

This policy disables the TLS protocol versions 1.0 and 1.1. It applies to the following services:

Apache (httpd, httpd-admin)
Ejabberd
Cockpit
Slapd (openldap-servers)
Postfix
Dovecot

But the main reference of documentations is… generic

TLS policy

The TLS policy page controls how individual services configure the Transport Layer Security (TLS) protocol, by selecting a policy identifier .

If not otherwise stated, the TLS settings of policies are always cumulative : newer policies extend older ones .

Which is fine, but…IMVHO should be reported that the TLS policy management affects only some services (not all) described into every policy.

Thanks for info, @giacomo

(Anyway… CUPS supports IPP, still used)

Yes, in fact, I had already seen this. Anyway, thank you Pike as always!

Hi Giacomo, I don’t use cups much, but as written above I just wanted to launch a pentest and I’m not here to list the other alerts (Postfix), because my question was only directed to the vulnerability found in SSL at CUPS 631 service. Anyway, thank you for your intervention.

1 Like