Infrastructure

Nick pointed out that the following VMs had insecure configurations:
* search-ucsb-1
* cn-dev-ucsb-2
* mn-sandbox-ucsb-2

Change the Apache ssl.conf configuration with:

#SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLHonorCipherOrder On

SSLProtocol all -SSLv2 -SSLv3

Scan results from UCSB OIT:

Greetings:

Our vulnerability scanner has found a potentially vulnerable host on your network. You should consider taking the recommended actions mentioned in this report in order to reduce the chances of this host being abused by an attacker. If you believe any part of this report to be incorrect, please let us know so that we can work to improve our reporting accuracy.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Here is information about potential vulnerabilities that were found:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP: 128.111.54.85
OS: Linux Kernel 3.11
Linux Kernel 3.12
Linux Kernel 3.13
Linux Kernel 3.17
Scanned From: 128.111.12.51 (on-campus address)
Scan Start: Wed Aug 5 11:34:22 2015
Scan End: Wed Aug 5 11:38:23 2015

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Plugin Name: SSL Version 2 and 3 Protocol Detection (20007)

Synopsis:

The remote service encrypts traffic using a protocol with known weaknesses.

Description:

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

See Also:

http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70

Solution:

Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.

Risk Factor: Medium
CVSS Base Score: 5.0

Plugin Information:

Plugin Output:

Port: 443 / tcp / www

• SSLv3 is enabled and the server supports at least one cipher.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Plugin Name: SSL RC4 Cipher Suites Supported (65821)

Synopsis:

The remote service supports the use of the RC4 cipher.

Description:

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also:

http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution:

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.

Risk Factor: Medium
CVSS Base Score: 4.3
CVSS Temporal Score: 3.7

References:

bid: http://www.securityfocus.com/bid/58796
bid: http://www.securityfocus.com/bid/73684
osvdb: http://osvdb.org/91162
osvdb: http://osvdb.org/117855
cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2808

Plugin Information:

Plugin Output:

Port: 443 / tcp / www
None

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++