2014 and
2015 have been years full of discoveries on cryptographic and algorithmic
vulnerabilities starting with Heartbleed following with POODLE and several others.
These vulnerabilities pushed many administrators patch their webservers,
disable vulnerable protocols (SSLv2, SSLv3 and even TLS1.0) and cipher suites
containing weak algorithms (RC4, SHA1, MD5 and others).
ArcSight
systems, working over web interfaces, are also subject to these vulnerabilities
and possible attacks. Apache web server hosting Logger and Management Center
interfaces should be configured to eliminate the cryptographic algorithm and
protocol threats.
First of
all, to know the status of webserver, we will use the sslscan application with
given parameters.
From this
output we can see that SSLv2 and SSLv3 protocols are already disabled but
protocols such as RC4, DES and Diffie-Hellman are still accepted.
In order to
force the webserver to use secure algorithms and protocols we will modify
apache configuration file httpd.conf under <LOGGER_INSTALLATION_DIRECTORY> /local/apache/conf directory, which in my own installation is /opt/arcsight/current/local/apache/conf/.
It is wise to take a backup of the httpd.conf file before making any changes.
# cp
httpd.conf httpd.conf.backup
Then we
should edit this file with a text editor such as nano or vi.
We should
modify the line starting with SSLProtocol
and SSLCipherSuite as follows
and save the file.
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite
!RC4:!DH:!MD5:!aNULL:!eNULL:!MEDIUM:!LOW:HIGH
After this
operation, so that the changes become active we should restart logger services
under <LOGGER_INSTALLATION_DIRECTORY>/arcsight/logger/bin
directory with ./loggerd
restart command.
When we recheck with sslscan, we see that vulnerable
options are no longer supported.
No comments:
Post a Comment