CVE-2018-11409 Nessus Scan Trick modify restmap.co...

kballow · ‎07-28-2021

Hello All,

Nessus keeps throwing the error that "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" exposes critical information for unauthenticated scans, but it the test is stupid and runs an authenticated scan, therefore it fails since the data will be presented if authenticated.

We need a clean Nessus scan result and I managed to make the following changes to restmap.conf

[admin:server-info]
requireAuthentication = true
acceptFrom = "127.0.0.1"

[admin:server-info-alias]
requireAuthentication = true
acceptFrom = "127.0.0.1"

This basically makes it even if you are authenticated you will get forbidden if you visit "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json".

This works great, but a side effect is that I am unable to view some UI pages like for example the user page anymore. I would have to remove the 127.0.0.1 line to view the UI elements. Anyone know how I can specially block "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" but not cause other pages like users from being blocked?

This is to just get the nessus scan to pass.

CVE-2018-11409 Nessus Scan Trick modify restmap.conf

authentication

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio