Getting Data In

If vulnerability scan reveals that "HTTP OPTIONS Method Enabled" on Universal Forwarders, what should I do?

LukeMurphey
Champion

A recent vulnerability scan indicated that my Universal Forwarders are subject the vulnerability "HTTP OPTIONS Method Enabled" (on port 8089). What should I do?

0 Karma
1 Solution

LukeMurphey
Champion

This alert indicates that the web-server that the Universal Forwarder (UF) uses supports the HTTP method "Options". The "Options" HTTP verb allows people to determine what other HTTP verbs the web-server supports. Support for the "Options" method alone isn't going to facilitate a compromise the web-server. Rather, this HTTP method could be used by attackers to find out what other HTTP methods are supported which could give them some clues on other places to look for potential security vulnerabilities.

See https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) for more in-depth write-up.

Can I disable this method in Splunk?
You can most likely block this port on Universal Forwarders; they don't likely need to open. This would reduce risk much more than just blocking one HTTP method.

There are apps that do this too:
- https://github.com/georgestarcher/UF-TA-killrest
- https://splunkbase.splunk.com/app/3246/

You could also have the UF bind to 127.0.0.1 which would prevent remote access to this port. Below is a snippet for server.conf that would bind to localhost:

# By default a universal forwarder binds to all interfaces
# This is a problem as it can be manipulated via REST or
# triggers vulnerablity scanners because of the self-signed certs.
[httpServer]
disableDefaultPort = true

[httpServerListener:127.0.0.1:8089]
ssl=true

Otherwise, I have a hard time getting too excited about this one method. It seems to me that an attacker could just an easily try all HTTP methods to see which ones respond; thus blocking this one method seems unlikely to reduce risk much.

That said, preventing access entirely to port 8089 on UF's would be a good idea since it would reduce attack surface far more than just blocking one HTTP option.

View solution in original post

LukeMurphey
Champion

This alert indicates that the web-server that the Universal Forwarder (UF) uses supports the HTTP method "Options". The "Options" HTTP verb allows people to determine what other HTTP verbs the web-server supports. Support for the "Options" method alone isn't going to facilitate a compromise the web-server. Rather, this HTTP method could be used by attackers to find out what other HTTP methods are supported which could give them some clues on other places to look for potential security vulnerabilities.

See https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) for more in-depth write-up.

Can I disable this method in Splunk?
You can most likely block this port on Universal Forwarders; they don't likely need to open. This would reduce risk much more than just blocking one HTTP method.

There are apps that do this too:
- https://github.com/georgestarcher/UF-TA-killrest
- https://splunkbase.splunk.com/app/3246/

You could also have the UF bind to 127.0.0.1 which would prevent remote access to this port. Below is a snippet for server.conf that would bind to localhost:

# By default a universal forwarder binds to all interfaces
# This is a problem as it can be manipulated via REST or
# triggers vulnerablity scanners because of the self-signed certs.
[httpServer]
disableDefaultPort = true

[httpServerListener:127.0.0.1:8089]
ssl=true

Otherwise, I have a hard time getting too excited about this one method. It seems to me that an attacker could just an easily try all HTTP methods to see which ones respond; thus blocking this one method seems unlikely to reduce risk much.

That said, preventing access entirely to port 8089 on UF's would be a good idea since it would reduce attack surface far more than just blocking one HTTP option.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...