Getting Data In
Highlighted

If vulnerability scan reveals that "HTTP OPTIONS Method Enabled" on Universal Forwarders, what should I do?

Champion

A recent vulnerability scan indicated that my Universal Forwarders are subject the vulnerability "HTTP OPTIONS Method Enabled" (on port 8089). What should I do?

0 Karma
Highlighted

Re: If vulnerability scan reveals that "HTTP OPTIONS Method Enabled" on Universal Forwarders, what should I do?

Champion

This alert indicates that the web-server that the Universal Forwarder (UF) uses supports the HTTP method "Options". The "Options" HTTP verb allows people to determine what other HTTP verbs the web-server supports. Support for the "Options" method alone isn't going to facilitate a compromise the web-server. Rather, this HTTP method could be used by attackers to find out what other HTTP methods are supported which could give them some clues on other places to look for potential security vulnerabilities.

See https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) for more in-depth write-up.

Can I disable this method in Splunk?
You can most likely block this port on Universal Forwarders; they don't likely need to open. This would reduce risk much more than just blocking one HTTP method.

There are apps that do this too:
- https://github.com/georgestarcher/UF-TA-killrest
- https://splunkbase.splunk.com/app/3246/

You could also have the UF bind to 127.0.0.1 which would prevent remote access to this port. Below is a snippet for server.conf that would bind to localhost:

# By default a universal forwarder binds to all interfaces
# This is a problem as it can be manipulated via REST or
# triggers vulnerablity scanners because of the self-signed certs.
[httpServer]
disableDefaultPort = true

[httpServerListener:127.0.0.1:8089]
ssl=true

Otherwise, I have a hard time getting too excited about this one method. It seems to me that an attacker could just an easily try all HTTP methods to see which ones respond; thus blocking this one method seems unlikely to reduce risk much.

That said, preventing access entirely to port 8089 on UF's would be a good idea since it would reduce attack surface far more than just blocking one HTTP option.

View solution in original post