Security

How do I remediate "Nessus ID 42873"?

araitz
Splunk Employee
Splunk Employee

What do I do if a Nessus vulnerability scan reports the "Nessus ID 42873 - SSL Medium Strength Cipher Suites Supported" vulnerability against my Splunk Web TCP port that is configured to use HTTPS?

1 Solution

araitz
Splunk Employee
Splunk Employee

You can set SSLv3 only mode via web.conf, but keep in mind that this may create an issue with legacy systems/browsers attempting to access Splunk Web:

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Webconf

supportSSLV3Only = [True | False]

  • Allow only SSLv3 connections if true
  • NOTE: Enabling this may cause some browsers problems

UPDATE: Splunk 4.3+ supports a cipher list parameter in web.conf that allows you to specify that Splunk Web should only use certain cipher suites:

http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

View solution in original post

Greg_LeBlanc
Path Finder

You could also you the cipherSuite stanza in conjunction with the supportSSLV3Only stanza.

supportSSLV3Only = true
cipherSuite = ALL:!EXP:!LOW:!ADH:!RC4:!SSLv2

araitz
Splunk Employee
Splunk Employee

You can set SSLv3 only mode via web.conf, but keep in mind that this may create an issue with legacy systems/browsers attempting to access Splunk Web:

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Webconf

supportSSLV3Only = [True | False]

  • Allow only SSLv3 connections if true
  • NOTE: Enabling this may cause some browsers problems

UPDATE: Splunk 4.3+ supports a cipher list parameter in web.conf that allows you to specify that Splunk Web should only use certain cipher suites:

http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

peter_white
New Member

Did you find an answer to this one I am running into this same issue. I have "supportSSLV3Only = True" turned on but am seeing that same Nessus vulnerability during my scans.

0 Karma

ddholstadz
Explorer

I have set it to sslv3 only, but now I get an error based on key size?

Plugin Output Here is the only medium strength SSL cipher supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...