Fixes For Vulnerabilities Found When Using Greenbone OpenVAS
The following is a quick series of notes for fixes for vulnerabilities that may be found when running a penetration test using OpenVAS
Most of these notes are written for Linux, some have notes on how they apply to other systems.
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.
Linux
Edit the ssl.conf file and set the two following values
SSLProtocol -ALL TLSv1.2 SSLCipherSuite !ADH:!aNULL:!MD5:!RC4:HIGH
TCP time stamps
It was detected that the host implements RFC1323.
Linux
echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf sysctl -p
Result: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
Set the SSLProtocol value as follows in the ssl.conf file and add it also to every virtualized web site (add the line right after the “SSLEngine on” if you are not sure where it goes)
SSLProtocol -ALL TLSv1.2
HTTP Debugging Methods (TRACE/TRACK) Enabled
add the line
TraceEnable Off
to the end of /etc/http/conf/httpd.conf file
SSH Weak Encryption Algorithms Supported
For linux add the following line to the /etc/ssh/sshd_config file
Ciphers aes128-ctr,aes192-ctr,aes256-ctrIf the target device is a Cisco ASA, add the following to the config
ssh cipher encryption custom aes128-ctr:aes256-ctr:aes128-ctr
ssh key-exchange group dh-group14-sha1
ssh version 2SSH Weak MAC Algorithms Supported
For Linux – add the following to /etc/ssh/sshd_confg
MACs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.comFor a Cisco ASA, add the following to the config
ssh cipher integrity highAdditional notes:
You can also remotely probe a ssh server for its supported ciphers with recent nmap versions with the command
nmap --script ssh2-enum-algos -sV -p <port> <host>