Re: [Openvas-discuss] Vulnerabilities OpenVAS
On Dienstag, 20. Oktober 2015, Reindl Harald wrote: > Am 20.10.2015 um 14:15 schrieb Eero Volotinen: > > You need to configure gnutls-priority string for each daemon, now you > > just configured it for gsad (greenbone security assistant) > > the main question remains why a vulnerability scanner complaining about > other services not at least starts with secure defaults itself without > user intervention The local TLS installation defines the default regarded as secure. Overriding it by default by a application just creates other types of unwanted/surprising circumstances. For example a system or a system administrator might have decided to define a even stricter global /etc/gnutls/default-priorities. Then OpenVAS might silently downgrade the chosen security level if we set it to some value. I agree that either way (not using system default by default and using system default by default) shows disadvantages. But calling it "pervert" because we honor system default by default seems inadequate to me. -- Dr. Jan-Oliver Wagner | +49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Am 22.10.2015 um 09:58 schrieb Jan-Oliver Wagner: On Dienstag, 20. Oktober 2015, Reindl Harald wrote: Am 20.10.2015 um 14:15 schrieb Eero Volotinen: You need to configure gnutls-priority string for each daemon, now you just configured it for gsad (greenbone security assistant) the main question remains why a vulnerability scanner complaining about other services not at least starts with secure defaults itself without user intervention The local TLS installation defines the default regarded as secure. Overriding it by default by a application just creates other types of unwanted/surprising circumstances. For example a system or a system administrator might have decided to define a even stricter global /etc/gnutls/default-priorities. Then OpenVAS might silently downgrade the chosen security level if we set it to some value. I agree that either way (not using system default by default and using system default by default) shows disadvantages. But calling it "pervert" because we honor system default by default seems inadequate to me system TLS defaults are mostly to never up-to-date and hence anybody who does not proper configure a webserver adn verify it against https://www.ssllabs.com/ssltest/ is doing things wrong that's fine for a hobby administrator but not a piece of software having the same goal as ssllabs eat your own dogfood! that something is going wrong in that context also showed last year many months after heartbleed www.openvas.org was still vulnerable and the excuse was "some hobby administrator donated the hosting" which is no excuse at all - frankly i expect at least own domains are audited by the developers as well as their own software here you go as exmaple with a httpd and RSA certificates SSLProtocol All -SSLv2 -SSLv3 SSLFIPS Off SSLCompression Off SSLInsecureRenegotiation Off SSLSessionTickets Off SSLVerifyClient none SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM signature.asc Description: OpenPGP digital signature ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Thanks Chris, So, I need to: vi /usr/lib/systemd/system/openvas-scanner.service insert "--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"" this line at the end of the file? The same for /usr/lib/systemd/system/openvas-manager.service ? Diego > From: fisch@gmx.de > To: openvas-discuss@wald.intevation.org > Date: Tue, 20 Oct 2015 14:13:38 +0200 > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS > > Hi, > > > gsad > > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > > > > restarted openvas-manager, openvas-scanner, gsad > > > > Started scan against localhost and the same results: > > you also need to add this gnutls-priorities to the openvas-manager > (openvasmd) and openvas-scanner (openvassd) startup. > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
You need to configure gnutls-priority string for each daemon, now you just configured it for gsad (greenbone security assistant) -- Eero 2015-10-20 15:07 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: > Hello, > > I used this command: > > gsad > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > > restarted openvas-manager, openvas-scanner, gsad > > Started scan against localhost and the same results: > Check for SSL Weak Ciphers > <https://192.168.254.198:9392/omp?cmd=get_result_id=55842672-5a0e-49a4-8aee-fca6d73df6bb_overrides=1_qod=_id=e85bf115-8701-4b15-9fb9-5487523ba906=PH-SEC02_id=ec26c093-fce5-4ef5-aa09-50c933db8842=sort-reverse%3Dseverity%20result_hosts_only%3D1%20min_cvss_base%3D%20min_qod%3D%20levels%3Dhmlg%20autofp%3D0%20notes%3D1%20overrides%3D1%20first%3D1%20rows%3D100%20delta_states%3Dgn_id==1=0_result_id=55842672-5a0e-49a4-8aee-fca6d73df6bb=f150869f-e730-4f65-bb67-66031d2cafe4> > - tcp/9390 (6017/openvasmd) > Deprecated SSLv2 and SSLv3 Protocol Detection - tcp/9390 (6017/openvasmd) > <https://192.168.254.198:9392/omp?cmd=get_result_id=6839c153-0ee0-4873-81b8-5bfd5ef0264d_overrides=1_qod=_id=e85bf115-8701-4b15-9fb9-5487523ba906=PH-SEC02_id=ec26c093-fce5-4ef5-aa09-50c933db8842=sort-reverse%3Dseverity%20result_hosts_only%3D1%20min_cvss_base%3D%20min_qod%3D%20levels%3Dhmlg%20autofp%3D0%20notes%3D1%20overrides%3D1%20first%3D1%20rows%3D100%20delta_states%3Dgn_id==1=0_result_id=6839c153-0ee0-4873-81b8-5bfd5ef0264d=f150869f-e730-4f65-bb67-66031d2cafe4> > POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability > <https://192.168.254.198:9392/omp?cmd=get_result_id=1fad1dc8-06ca-4061-bcc7-9bc1bd687b95_overrides=1_qod=_id=e85bf115-8701-4b15-9fb9-5487523ba906=PH-SEC02_id=ec26c093-fce5-4ef5-aa09-50c933db8842=sort-reverse%3Dseverity%20result_hosts_only%3D1%20min_cvss_base%3D%20min_qod%3D%20levels%3Dhmlg%20autofp%3D0%20notes%3D1%20overrides%3D1%20first%3D1%20rows%3D100%20delta_states%3Dgn_id==1=0_result_id=1fad1dc8-06ca-4061-bcc7-9bc1bd687b95=f150869f-e730-4f65-bb67-66031d2cafe4> > - - tcp/9390 (6017/openvasmd) > > In the /var/log/openvas/gsad.log I see this message (not sure if is > because of my changes above) > > gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive > data: The TLS connection was non-properly terminated. > gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive > data: The TLS connection was non-properly terminated. > gsad main:WARNING:2015-10-20 09h55.48 BRST:6029: MHD: Error: received > handshake message out of context > > > -- > Date: Mon, 19 Oct 2015 01:39:10 +0300 > > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS > From: eero.voloti...@iki.fi > To: diego_...@hotmail.com > CC: openvas-discuss@wald.intevation.org > > You need to install centos 7 to get openvas 8. Centos 6 is not supported > due too old library version(s). > > I think openvas 7 also supports gnu priority strings, but it is always > wise to update to lastest version. > > -- > Eero > > 2015-10-19 1:36 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: > > Thanks Eero, > > So, Can I understand that I am running openvas 7? > > And I understand that atomic team did not release openvas 8, because I did > not find any update yet. > > So, I need to wait for version 8 from atomic corp and use gnutls? I will > need to study how to do it. > > Thanks, > > Diego > > -- > Date: Mon, 19 Oct 2015 01:32:48 +0300 > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS > From: eero.voloti...@iki.fi > To: diego_...@hotmail.com > CC: openvas-discuss@wald.intevation.org > > > well. update to openvas 8 and then use gnutls priority strings to change > ssl cipher settings.. > > Eero > > 2015-10-19 1:28 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: > > Hello, > > I ran against localhost and I found those Vulnerabilities for tcp/9390 > (openvasmd) > > - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability > - Deprecated SSLv2 and SSLv3 Protocol Detection > - Check for SSL Weak Ciphers > > My version is: > rpm -qa |grep -i openvas > openvas-manager-5.0.9-28.el6.art.x86_64 > openvas-scanner-4.0.6-19.el6.art.x86_64 > openvas-libraries-7.0.9-18.el6.art.x86_64 > openvas-1.0-17.el6.art.noarch > openvas-cli-1.3.1-6.el6.art.x86_64 > > How should we fix those 3 vulnerabilities? > > Thanks, > > Diego > > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > > > > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Eero, did you already do it? Sorry but, do you mean that I need to run like this? openvasmd --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" openvassd --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" Thanks, Diego Date: Tue, 20 Oct 2015 15:15:14 +0300 Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS From: eero.voloti...@iki.fi To: diego_...@hotmail.com CC: openvas-discuss@wald.intevation.org You need to configure gnutls-priority string for each daemon, now you just configured it for gsad (greenbone security assistant) --Eero 2015-10-20 15:07 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: Hello, I used this command: gsad --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" restarted openvas-manager, openvas-scanner, gsad Started scan against localhost and the same results: Check for SSL Weak Ciphers - tcp/9390 (6017/openvasmd) Deprecated SSLv2 and SSLv3 Protocol Detection - tcp/9390 (6017/openvasmd) POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability - - tcp/9390 (6017/openvasmd) In the /var/log/openvas/gsad.log I see this message (not sure if is because of my changes above) gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive data: The TLS connection was non-properly terminated. gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive data: The TLS connection was non-properly terminated. gsad main:WARNING:2015-10-20 09h55.48 BRST:6029: MHD: Error: received handshake message out of context Date: Mon, 19 Oct 2015 01:39:10 +0300 Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS From: eero.voloti...@iki.fi To: diego_...@hotmail.com CC: openvas-discuss@wald.intevation.org You need to install centos 7 to get openvas 8. Centos 6 is not supported due too old library version(s). I think openvas 7 also supports gnu priority strings, but it is always wise to update to lastest version. --Eero 2015-10-19 1:36 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: Thanks Eero, So, Can I understand that I am running openvas 7? And I understand that atomic team did not release openvas 8, because I did not find any update yet. So, I need to wait for version 8 from atomic corp and use gnutls? I will need to study how to do it. Thanks, Diego Date: Mon, 19 Oct 2015 01:32:48 +0300 Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS From: eero.voloti...@iki.fi To: diego_...@hotmail.com CC: openvas-discuss@wald.intevation.org well. update to openvas 8 and then use gnutls priority strings to change ssl cipher settings.. Eero 2015-10-19 1:28 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: Hello, I ran against localhost and I found those Vulnerabilities for tcp/9390 (openvasmd) - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability - Deprecated SSLv2 and SSLv3 Protocol Detection - Check for SSL Weak Ciphers My version is: rpm -qa |grep -i openvasopenvas-manager-5.0.9-28.el6.art.x86_64openvas-scanner-4.0.6-19.el6.art.x86_64openvas-libraries-7.0.9-18.el6.art.x86_64openvas-1.0-17.el6.art.noarchopenvas-cli-1.3.1-6.el6.art.x86_64 How should we fix those 3 vulnerabilities? Thanks, Diego ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Am 20.10.2015 um 14:15 schrieb Eero Volotinen: You need to configure gnutls-priority string for each daemon, now you just configured it for gsad (greenbone security assistant) the main question remains why a vulnerability scanner complaining about other services not at least starts with secure defaults itself without user intervention signature.asc Description: OpenPGP digital signature ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Right, why did not have a step by step to fix it? of course, everybody wants that no vulnerability in your scanner, right? and it is very confused to apply those fix Now, I am not sure if just running: gsad --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" is enought for gsad. Should I insert it in the systemd as well? Diego Date: Tue, 20 Oct 2015 15:31:38 +0300 From: eero.voloti...@iki.fi To: h.rei...@thelounge.net CC: openvas-discuss@wald.intevation.org Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS Yes, It should enable only tlsv1.2 on default settings, if possible :) --Eero 2015-10-20 15:29 GMT+03:00 Reindl Harald <h.rei...@thelounge.net>: Am 20.10.2015 um 14:15 schrieb Eero Volotinen: You need to configure gnutls-priority string for each daemon, now you just configured it for gsad (greenbone security assistant) the main question remains why a vulnerability scanner complaining about other services not at least starts with secure defaults itself without user intervention ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Hi, > gsad > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > > restarted openvas-manager, openvas-scanner, gsad > > Started scan against localhost and the same results: you also need to add this gnutls-priorities to the openvas-manager (openvasmd) and openvas-scanner (openvassd) startup. ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
and also remember to issue daemon reload to systemd to get modified startup-script changes to effective. -- Eero 2015-10-20 15:13 GMT+03:00 Chris: > Hi, > > > gsad > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > > > > restarted openvas-manager, openvas-scanner, gsad > > > > Started scan against localhost and the same results: > > you also need to add this gnutls-priorities to the openvas-manager > (openvasmd) and openvas-scanner (openvassd) startup. > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Yes, It should enable only tlsv1.2 on default settings, if possible :) -- Eero 2015-10-20 15:29 GMT+03:00 Reindl Harald: > > Am 20.10.2015 um 14:15 schrieb Eero Volotinen: > >> You need to configure gnutls-priority string for each daemon, now you >> just configured it for gsad (greenbone security assistant) >> > > the main question remains why a vulnerability scanner complaining about > other services not at least starts with secure defaults itself without user > intervention > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Something like that, but should enable only TLSv1.2 for best security. -- Eero 2015-10-20 15:30 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: > Thanks Chris, > > So, I need to: > > vi /usr/lib/systemd/system/openvas-scanner.service > > insert > "--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"" > this line at the end of the file? > > The same for /usr/lib/systemd/system/openvas-manager.service > > ? > Diego > > > From: fisch@gmx.de > > To: openvas-discuss@wald.intevation.org > > Date: Tue, 20 Oct 2015 14:13:38 +0200 > > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS > > > > Hi, > > > > > gsad > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > > > > > > restarted openvas-manager, openvas-scanner, gsad > > > > > > Started scan against localhost and the same results: > > > > you also need to add this gnutls-priorities to the openvas-manager > (openvasmd) and openvas-scanner (openvassd) startup. > > ___ > > Openvas-discuss mailing list > > Openvas-discuss@wald.intevation.org > > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Am 20.10.2015 um 18:53 schrieb Diego Gomes: Yes, it seems.. Maybe because I am not so familiar with this method of systemd! I will try anyway, it is as simple as i explained just take a systemd-unit from /usr/lib/systemd/system and copy it to /ect/systemd/system - the reason why you first disable it is that enable a service is nothing else than a symlink which is still there and links to /usr/lib/systemd/system from the moment on a unit in /etc/systemd/system with the same name exists "systemctl enable service" will prefer that instead the one from the package that's really as simple as something can be - try the same with sysvinit to prevent your changes overwritten by random updates and you will end with think about a different name for the service with all the bad impact changed start ordering having a systemd-unit in /etc/systemd/system called "httpd.service" will be handeled exactly like the one shipped with the distribution and so any "After=httpd.service" or "Before=httpd-service" will work as before the only shame is that OpenVAS needs to be secured by the user while it is used to find unsecure settings in any other software - i would call that situation pervert but that don't change the fact override a systemd-unit is as easy as something can be To: openvas-discuss@wald.intevation.org From: h.rei...@thelounge.net Date: Tue, 20 Oct 2015 18:51:19 +0200 Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS Am 20.10.2015 um 18:45 schrieb Diego Gomes: Thanks Reindl, It seems a little complicated, right? Does anyone applying it to secure the own OpenVAS? there is nothing complicated in clone and edit a systemd-unit and it should be a regular and well known task for anybody maintaining a server To: openvas-discuss@wald.intevation.org From: h.rei...@thelounge.net Date: Tue, 20 Oct 2015 14:35:23 +0200 Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS Am 20.10.2015 um 14:30 schrieb Diego Gomes: Thanks Chris, So, I need to: vi /usr/lib/systemd/system/openvas-scanner.service never ever touch /usr/lib/systemd/system/ whatever you touch would be overwritten with the next update and so you throw away one of the biggest improvements compard to sysvinit * disable services you want to edit * copy the systemd-unit to /etc/systemd/system/ * edit the copy there * enable the service again * systemctl daemon reload * systemctl restart servicename insert "--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"" this line at the end of the file? for sure not at the end of the systemd-unit what should systemd do with that line? it's a param for the ExecStart process if there is not a config file The same for /usr/lib/systemd/system/openvas-manager.service same as above - don't touch /usr/lib/systemd signature.asc Description: OpenPGP digital signature ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
Thanks Reindl, It seems a little complicated, right? Does anyone applying it to secure the own OpenVAS? Diego To: openvas-discuss@wald.intevation.org From: h.rei...@thelounge.net Date: Tue, 20 Oct 2015 14:35:23 +0200 Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS Am 20.10.2015 um 14:30 schrieb Diego Gomes: > Thanks Chris, > > So, I need to: > > vi /usr/lib/systemd/system/openvas-scanner.service never ever touch /usr/lib/systemd/system/ whatever you touch would be overwritten with the next update and so you throw away one of the biggest improvements compard to sysvinit * disable services you want to edit * copy the systemd-unit to /etc/systemd/system/ * edit the copy there * enable the service again * systemctl daemon reload * systemctl restart servicename > insert > "--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"" > this line at the end of the file? for sure not at the end of the systemd-unit what should systemd do with that line? it's a param for the ExecStart process if there is not a config file > The same for /usr/lib/systemd/system/openvas-manager.service same as above - don't touch /usr/lib/systemd > > From: fisch@gmx.de > > To: openvas-discuss@wald.intevation.org > > Date: Tue, 20 Oct 2015 14:13:38 +0200 > > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS > > > > Hi, > > > > > gsad > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > > > > > > restarted openvas-manager, openvas-scanner, gsad > > > > > > Started scan against localhost and the same results: > > > > you also need to add this gnutls-priorities to the openvas-manager > (openvasmd) and openvas-scanner (openvassd) startup. ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
well. update to openvas 8 and then use gnutls priority strings to change ssl cipher settings.. Eero 2015-10-19 1:28 GMT+03:00 Diego Gomes: > Hello, > > I ran against localhost and I found those Vulnerabilities for tcp/9390 > (openvasmd) > > - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability > - Deprecated SSLv2 and SSLv3 Protocol Detection > - Check for SSL Weak Ciphers > > My version is: > rpm -qa |grep -i openvas > openvas-manager-5.0.9-28.el6.art.x86_64 > openvas-scanner-4.0.6-19.el6.art.x86_64 > openvas-libraries-7.0.9-18.el6.art.x86_64 > openvas-1.0-17.el6.art.noarch > openvas-cli-1.3.1-6.el6.art.x86_64 > > How should we fix those 3 vulnerabilities? > > Thanks, > > Diego > > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Vulnerabilities OpenVAS
You need to install centos 7 to get openvas 8. Centos 6 is not supported due too old library version(s). I think openvas 7 also supports gnu priority strings, but it is always wise to update to lastest version. -- Eero 2015-10-19 1:36 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: > Thanks Eero, > > So, Can I understand that I am running openvas 7? > > And I understand that atomic team did not release openvas 8, because I did > not find any update yet. > > So, I need to wait for version 8 from atomic corp and use gnutls? I will > need to study how to do it. > > Thanks, > > Diego > > -- > Date: Mon, 19 Oct 2015 01:32:48 +0300 > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS > From: eero.voloti...@iki.fi > To: diego_...@hotmail.com > CC: openvas-discuss@wald.intevation.org > > > well. update to openvas 8 and then use gnutls priority strings to change > ssl cipher settings.. > > Eero > > 2015-10-19 1:28 GMT+03:00 Diego Gomes <diego_...@hotmail.com>: > > Hello, > > I ran against localhost and I found those Vulnerabilities for tcp/9390 > (openvasmd) > > - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability > - Deprecated SSLv2 and SSLv3 Protocol Detection > - Check for SSL Weak Ciphers > > My version is: > rpm -qa |grep -i openvas > openvas-manager-5.0.9-28.el6.art.x86_64 > openvas-scanner-4.0.6-19.el6.art.x86_64 > openvas-libraries-7.0.9-18.el6.art.x86_64 > openvas-1.0-17.el6.art.noarch > openvas-cli-1.3.1-6.el6.art.x86_64 > > How should we fix those 3 vulnerabilities? > > Thanks, > > Diego > > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > > > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss