Security

How do I remediate "Nessus ID 42873"?

araitz
Splunk Employee
Splunk Employee

What do I do if a Nessus vulnerability scan reports the "Nessus ID 42873 - SSL Medium Strength Cipher Suites Supported" vulnerability against my Splunk Web TCP port that is configured to use HTTPS?

1 Solution

araitz
Splunk Employee
Splunk Employee

You can set SSLv3 only mode via web.conf, but keep in mind that this may create an issue with legacy systems/browsers attempting to access Splunk Web:

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Webconf

supportSSLV3Only = [True | False]

  • Allow only SSLv3 connections if true
  • NOTE: Enabling this may cause some browsers problems

UPDATE: Splunk 4.3+ supports a cipher list parameter in web.conf that allows you to specify that Splunk Web should only use certain cipher suites:

http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

View solution in original post

Greg_LeBlanc
Path Finder

You could also you the cipherSuite stanza in conjunction with the supportSSLV3Only stanza.

supportSSLV3Only = true
cipherSuite = ALL:!EXP:!LOW:!ADH:!RC4:!SSLv2

araitz
Splunk Employee
Splunk Employee

You can set SSLv3 only mode via web.conf, but keep in mind that this may create an issue with legacy systems/browsers attempting to access Splunk Web:

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Webconf

supportSSLV3Only = [True | False]

  • Allow only SSLv3 connections if true
  • NOTE: Enabling this may cause some browsers problems

UPDATE: Splunk 4.3+ supports a cipher list parameter in web.conf that allows you to specify that Splunk Web should only use certain cipher suites:

http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

peter_white
New Member

Did you find an answer to this one I am running into this same issue. I have "supportSSLV3Only = True" turned on but am seeing that same Nessus vulnerability during my scans.

0 Karma

ddholstadz
Explorer

I have set it to sslv3 only, but now I get an error based on key size?

Plugin Output Here is the only medium strength SSL cipher supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...