Getting Data In

If vulnerability scan reveals that "HTTP OPTIONS Method Enabled" on Universal Forwarders, what should I do?

LukeMurphey
Champion

A recent vulnerability scan indicated that my Universal Forwarders are subject the vulnerability "HTTP OPTIONS Method Enabled" (on port 8089). What should I do?

0 Karma
1 Solution

LukeMurphey
Champion

This alert indicates that the web-server that the Universal Forwarder (UF) uses supports the HTTP method "Options". The "Options" HTTP verb allows people to determine what other HTTP verbs the web-server supports. Support for the "Options" method alone isn't going to facilitate a compromise the web-server. Rather, this HTTP method could be used by attackers to find out what other HTTP methods are supported which could give them some clues on other places to look for potential security vulnerabilities.

See https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) for more in-depth write-up.

Can I disable this method in Splunk?
You can most likely block this port on Universal Forwarders; they don't likely need to open. This would reduce risk much more than just blocking one HTTP method.

There are apps that do this too:
- https://github.com/georgestarcher/UF-TA-killrest
- https://splunkbase.splunk.com/app/3246/

You could also have the UF bind to 127.0.0.1 which would prevent remote access to this port. Below is a snippet for server.conf that would bind to localhost:

# By default a universal forwarder binds to all interfaces
# This is a problem as it can be manipulated via REST or
# triggers vulnerablity scanners because of the self-signed certs.
[httpServer]
disableDefaultPort = true

[httpServerListener:127.0.0.1:8089]
ssl=true

Otherwise, I have a hard time getting too excited about this one method. It seems to me that an attacker could just an easily try all HTTP methods to see which ones respond; thus blocking this one method seems unlikely to reduce risk much.

That said, preventing access entirely to port 8089 on UF's would be a good idea since it would reduce attack surface far more than just blocking one HTTP option.

View solution in original post

LukeMurphey
Champion

This alert indicates that the web-server that the Universal Forwarder (UF) uses supports the HTTP method "Options". The "Options" HTTP verb allows people to determine what other HTTP verbs the web-server supports. Support for the "Options" method alone isn't going to facilitate a compromise the web-server. Rather, this HTTP method could be used by attackers to find out what other HTTP methods are supported which could give them some clues on other places to look for potential security vulnerabilities.

See https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) for more in-depth write-up.

Can I disable this method in Splunk?
You can most likely block this port on Universal Forwarders; they don't likely need to open. This would reduce risk much more than just blocking one HTTP method.

There are apps that do this too:
- https://github.com/georgestarcher/UF-TA-killrest
- https://splunkbase.splunk.com/app/3246/

You could also have the UF bind to 127.0.0.1 which would prevent remote access to this port. Below is a snippet for server.conf that would bind to localhost:

# By default a universal forwarder binds to all interfaces
# This is a problem as it can be manipulated via REST or
# triggers vulnerablity scanners because of the self-signed certs.
[httpServer]
disableDefaultPort = true

[httpServerListener:127.0.0.1:8089]
ssl=true

Otherwise, I have a hard time getting too excited about this one method. It seems to me that an attacker could just an easily try all HTTP methods to see which ones respond; thus blocking this one method seems unlikely to reduce risk much.

That said, preventing access entirely to port 8089 on UF's would be a good idea since it would reduce attack surface far more than just blocking one HTTP option.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...