CVE-2018-11409 Nessus Scan Trick modify restmap.co...

kballow · ‎07-28-2021

Hello All,

Nessus keeps throwing the error that "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" exposes critical information for unauthenticated scans, but it the test is stupid and runs an authenticated scan, therefore it fails since the data will be presented if authenticated.

We need a clean Nessus scan result and I managed to make the following changes to restmap.conf

[admin:server-info]
requireAuthentication = true
acceptFrom = "127.0.0.1"

[admin:server-info-alias]
requireAuthentication = true
acceptFrom = "127.0.0.1"

This basically makes it even if you are authenticated you will get forbidden if you visit "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json".

This works great, but a side effect is that I am unable to view some UI pages like for example the user page anymore. I would have to remove the 127.0.0.1 line to view the UI elements. Anyone know how I can specially block "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" but not cause other pages like users from being blocked?

This is to just get the nessus scan to pass.

CVE-2018-11409 Nessus Scan Trick modify restmap.conf

authentication

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars

Are you a member of the Splunk Community?

CVE-2018-11409 Nessus Scan Trick modify restmap.conf

authentication

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars