Security

Is anyone interested in closing the security holes that Splunk leaves open with mongod ?

Splunk 6.4.2 (and back to 6.2.1) has the following issues:

  1. "[sslConfig]" stanza with parameter setting "enableSplunkdSSL = true" is ignored by mongod and sets Mongod parameter "sslMode" to "preferSSL" instead of "requireSSL".
  2. "[sslConfig]" stanza, with parameter setting "cipherSuite" is ignored for the Mongod parameter "sslCipherConfig".
  3. Mongod parameter "sslDisabledProtocols" should be set to the INVERSE of the value in $SPLUNK_HOME/etc/system/local/server.conf, "[sslConfig]" stanza, setting "sslVersions" when set. This is currently ignored.
  4. The Splunk OpenSSL Libraries should be built with the macro OPENSSL_NO_COMP to eliminate the CRIME vulnerability in OpenSSL. This as mongod has no provision to explicitly disable compression.

Without the above, Nessus flags the Mongod port with:

NESSUS FINDING #1:

Plugin Plugin Name Severity IP Address Port DNS Name
20007 SSL Version 2 and 3 Protocol Detection Medium xxx.xxx.xxx.xxx 8191 Hostname

Plugin Text:
Synopsis: The remote service encrypts traffic using a protocol with known weaknesses.

Description: The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0, which reportedly suffer from several cryptographic flaws. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

NIST has determined SSL v3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'.

Solution: Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.0 or higher instead.

Risk Factor: Medium

CVSS Base Score: 5.0

CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Plugin Output:
- SSLv3 is enabled, and the server supports at least one cipher.

Plugin Publication Date: 2005/10/12

Plugin Modification Date: 2015/03/02

Plugin Type: remote

Source File: ssl_deprecated.nasl

NESSUS FINDING #2:

Plugin Plugin Name Severity IP Address Port DNS Name
62565 Transport Layer Security (TLS) Protocol Medium xxx.xxx.xxx.xxx 8191 Hostname
CRIME Vulnerability

Plugin Text:
Synopsis: The remote service has a configuration that may make it vulnerable to the CRIME attack.

Description: The remote service has one of two configurations that are known to be required for the CRIME attack :

  • SSL / TLS compression is enabled.
  • TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

Solution: Disable compression and / or the SPDY service.

Risk Factor: Medium

CVSS Base Score: 4.3

CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Temporal Score: 3.7

CVSS Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Plugin Output:
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

  • SSL / TLS compression is enabled.

CVE: CVE-2012-4929, CVE-2012-4930

BID: 55704, 55707

Crossref: OSVDB #85926, OSVDB #85927

Vulnerability Publication Date: 2012/09/15

Plugin Publication Date: 2012/10/16

Plugin Modification Date: 2014/09/26

Exploit Available: true

Exploitability Ease: Exploits are available

Plugin Type: remote

Source File: ssl_crime.nasl

Builder

Have you filed a ticket with Splunk Support? This seems like it would be the best route to getting this into a bug for development in addition to perhaps getting a work around for securing your system.

Splunk Case: 228753 - Date/Time Opened: 3/27/2015 7:09 AM.

Not much movement on this so I thought I would try the "public".

0 Karma

Builder

wow, that's concerning... 1+ yrs and no response on a security related topic. I have a pending one like that with no movement, but it's not security related.

0 Karma

New Member

Any update on this? We are looking to fix this vulnerability as well.

0 Karma