Pentest on Nethserver and vulnerabilities

france · December 14, 2021, 6:33pm

Hello everyone, I ran a pentest with Openvas on my server. I use the policy 10/05/2020 and the test found vulnerabilities.

64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
I’ll stop here. Can anyone suggest me any Custom actions to take, clearly if necessary?

pike · December 14, 2021, 7:53pm

On
which
service
?

france · December 14, 2021, 8:56pm

From the reports I see https tcp port 631 (I think cups).

dnutan · December 14, 2021, 9:43pm

https://access.redhat.com/node/2568841

Mitigation

1.SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuite should not be disabled on the server.
2. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES based ciphersuites.

pike · December 14, 2021, 10:26pm

@giacomo i don’t know if I’m bugging the right person but… it’s expected that CUPS comply with the TLS policy?

pike · December 14, 2021, 10:27pm

@france is expected that your installation allow CUPS available on RED or other interfaces?

france · December 15, 2021, 7:28am

Not exactly, the penteste I wanted to perform was just to test the system, the cups service runs only via LAN and in the future via VPN. Anyway, thank you -

pike · December 15, 2021, 8:51am

Am i correct? You pentested the system from GREEN interface?

france · December 15, 2021, 9:00am

Yes, I wanted to do it for a simple test, also if I had to take a test from Wan I had to modify firewalls, fail2ban etc. In practice, a simple internal verification.

giacomo · December 15, 2021, 10:06am

Uh, CUPS…is there someone who still using it out there?

I’m working a little on some vulnerability tools (OpenVAS and Nessus) in the last few weeks and I saw many of such warning. Most of them can be ignored, especially for services exposed only inside the LAN.

TLS policy has been created mostly for public services, I do not think it’s necessary to enforce it for private networks.

@france if you want to improve CUPS security, try to set SSLOption, it should be something like (not tested):

SSLOptions MintLS1.2

More info at man cupsd.conf.

Please report back your findings

pike · December 15, 2021, 11:54am

The “policy name” states some services where it’s applied…
Policy 2020-05-10

This policy disables the TLS protocol versions 1.0 and 1.1. It applies to the following services:

Apache (httpd, httpd-admin)
Ejabberd
Cockpit
Slapd (openldap-servers)
Postfix
Dovecot

But the main reference of documentations is… generic

TLS policy

The TLS policy page controls how individual services configure the Transport Layer Security (TLS) protocol, by selecting a policy identifier .

If not otherwise stated, the TLS settings of policies are always cumulative : newer policies extend older ones .

Which is fine, but…IMVHO should be reported that the TLS policy management affects only some services (not all) described into every policy.

Thanks for info, @giacomo

(Anyway… CUPS supports IPP, still used)

france · December 15, 2021, 12:00pm

Yes, in fact, I had already seen this. Anyway, thank you Pike as always!

france · December 15, 2021, 12:01pm

Hi Giacomo, I don’t use cups much, but as written above I just wanted to launch a pentest and I’m not here to list the other alerts (Postfix), because my question was only directed to the vulnerability found in SSL at CUPS 631 service. Anyway, thank you for your intervention.