subject:"\[Openvas\-discuss\] Vulnerabilities OpenVAS"

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-22 Thread Jan-Oliver Wagner

On Dienstag, 20. Oktober 2015, Reindl Harald wrote:
> Am 20.10.2015 um 14:15 schrieb Eero Volotinen:
> > You need to configure gnutls-priority string for each daemon, now you
> > just configured it for gsad (greenbone security assistant)
> 
> the main question remains why a vulnerability scanner complaining about 
> other services not at least starts with secure defaults itself without 
> user intervention

The local TLS installation defines the default regarded as secure.
Overriding it by default by a application just creates other
types of unwanted/surprising circumstances.

For example a system or a system administrator might have decided to
define a even stricter global /etc/gnutls/default-priorities.
Then OpenVAS might silently downgrade the chosen security level
if we set it to some value.

I agree that either way (not using system default by default and using
system default by default) shows disadvantages.
But calling it "pervert" because we honor system default by default seems
inadequate to me.

-- 
Dr. Jan-Oliver Wagner |  +49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-22 Thread Reindl Harald




Am 22.10.2015 um 09:58 schrieb Jan-Oliver Wagner:

On Dienstag, 20. Oktober 2015, Reindl Harald wrote:

Am 20.10.2015 um 14:15 schrieb Eero Volotinen:

You need to configure gnutls-priority string for each daemon, now you
just configured it for gsad (greenbone security assistant)


the main question remains why a vulnerability scanner complaining about
other services not at least starts with secure defaults itself without
user intervention


The local TLS installation defines the default regarded as secure.
Overriding it by default by a application just creates other
types of unwanted/surprising circumstances.

For example a system or a system administrator might have decided to
define a even stricter global /etc/gnutls/default-priorities.
Then OpenVAS might silently downgrade the chosen security level
if we set it to some value.

I agree that either way (not using system default by default and using
system default by default) shows disadvantages.
But calling it "pervert" because we honor system default by default seems
inadequate to me


system TLS defaults are mostly to never up-to-date and hence anybody who 
does not proper configure a webserver adn verify it against 
https://www.ssllabs.com/ssltest/ is doing things wrong


that's fine for a hobby administrator but not a piece of software having 
the same goal as ssllabs


eat your own dogfood!

that something is going wrong in that context also showed last year many 
months after heartbleed www.openvas.org was still vulnerable and the 
excuse was "some hobby administrator donated the hosting" which is no 
excuse at all - frankly i expect at least own domains are audited by the 
developers as well as their own software


here you go as exmaple with a httpd and RSA certificates

SSLProtocol All -SSLv2 -SSLv3
SSLFIPS Off
SSLCompression Off
SSLInsecureRenegotiation Off
SSLSessionTickets Off
SSLVerifyClient  none
SSLHonorCipherOrder On
SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM








signature.asc
Description: OpenPGP digital signature
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Diego Gomes

Thanks Chris,

So, I need to:

vi /usr/lib/systemd/system/openvas-scanner.service

insert 
"--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0""
 this line at the end of the file?

The same for /usr/lib/systemd/system/openvas-manager.service

?
Diego

> From: fisch@gmx.de
> To: openvas-discuss@wald.intevation.org
> Date: Tue, 20 Oct 2015 14:13:38 +0200
> Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
> 
> Hi,
> 
> > gsad 
> > --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
> > 
> > restarted openvas-manager, openvas-scanner, gsad
> > 
> > Started scan against localhost and the same results:
> 
> you also need to add this gnutls-priorities to the openvas-manager 
> (openvasmd) and openvas-scanner (openvassd) startup.
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
  ___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Eero Volotinen

You need to configure gnutls-priority string for each daemon, now you just
configured it for gsad (greenbone security assistant)

--
Eero

2015-10-20 15:07 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:

> Hello,
>
> I used this command:
>
> gsad
> --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
>
> restarted openvas-manager, openvas-scanner, gsad
>
> Started scan against localhost and the same results:
> Check for SSL Weak Ciphers
> <https://192.168.254.198:9392/omp?cmd=get_result_id=55842672-5a0e-49a4-8aee-fca6d73df6bb_overrides=1_qod=_id=e85bf115-8701-4b15-9fb9-5487523ba906=PH-SEC02_id=ec26c093-fce5-4ef5-aa09-50c933db8842=sort-reverse%3Dseverity%20result_hosts_only%3D1%20min_cvss_base%3D%20min_qod%3D%20levels%3Dhmlg%20autofp%3D0%20notes%3D1%20overrides%3D1%20first%3D1%20rows%3D100%20delta_states%3Dgn_id==1=0_result_id=55842672-5a0e-49a4-8aee-fca6d73df6bb=f150869f-e730-4f65-bb67-66031d2cafe4>
> - tcp/9390 (6017/openvasmd)
> Deprecated SSLv2 and SSLv3 Protocol Detection - tcp/9390 (6017/openvasmd)
> <https://192.168.254.198:9392/omp?cmd=get_result_id=6839c153-0ee0-4873-81b8-5bfd5ef0264d_overrides=1_qod=_id=e85bf115-8701-4b15-9fb9-5487523ba906=PH-SEC02_id=ec26c093-fce5-4ef5-aa09-50c933db8842=sort-reverse%3Dseverity%20result_hosts_only%3D1%20min_cvss_base%3D%20min_qod%3D%20levels%3Dhmlg%20autofp%3D0%20notes%3D1%20overrides%3D1%20first%3D1%20rows%3D100%20delta_states%3Dgn_id==1=0_result_id=6839c153-0ee0-4873-81b8-5bfd5ef0264d=f150869f-e730-4f65-bb67-66031d2cafe4>
> POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability
> <https://192.168.254.198:9392/omp?cmd=get_result_id=1fad1dc8-06ca-4061-bcc7-9bc1bd687b95_overrides=1_qod=_id=e85bf115-8701-4b15-9fb9-5487523ba906=PH-SEC02_id=ec26c093-fce5-4ef5-aa09-50c933db8842=sort-reverse%3Dseverity%20result_hosts_only%3D1%20min_cvss_base%3D%20min_qod%3D%20levels%3Dhmlg%20autofp%3D0%20notes%3D1%20overrides%3D1%20first%3D1%20rows%3D100%20delta_states%3Dgn_id==1=0_result_id=1fad1dc8-06ca-4061-bcc7-9bc1bd687b95=f150869f-e730-4f65-bb67-66031d2cafe4>
> - - tcp/9390 (6017/openvasmd)
>
> In the /var/log/openvas/gsad.log I see this message (not sure if is
> because of my changes above)
>
> gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive
> data: The TLS connection was non-properly terminated.
> gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive
> data: The TLS connection was non-properly terminated.
> gsad main:WARNING:2015-10-20 09h55.48 BRST:6029: MHD: Error: received
> handshake message out of context
>
>
> --
> Date: Mon, 19 Oct 2015 01:39:10 +0300
>
> Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
> From: eero.voloti...@iki.fi
> To: diego_...@hotmail.com
> CC: openvas-discuss@wald.intevation.org
>
> You need to install centos 7 to get openvas 8. Centos 6 is not supported
> due too old library version(s).
>
> I think openvas  7 also supports gnu priority strings, but it is always
> wise to update to lastest version.
>
> --
> Eero
>
> 2015-10-19 1:36 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:
>
> Thanks Eero,
>
> So, Can I understand that I am running openvas 7?
>
> And I understand that atomic team did not release openvas 8, because I did
> not find any update yet.
>
> So, I need to wait for version 8 from atomic corp and use gnutls? I will
> need to study how to do it.
>
> Thanks,
>
> Diego
>
> --
> Date: Mon, 19 Oct 2015 01:32:48 +0300
> Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
> From: eero.voloti...@iki.fi
> To: diego_...@hotmail.com
> CC: openvas-discuss@wald.intevation.org
>
>
> well. update to openvas 8 and then use gnutls priority strings to change
> ssl cipher settings..
>
> Eero
>
> 2015-10-19 1:28 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:
>
> Hello,
>
> I ran against localhost and I found those Vulnerabilities for tcp/9390
> (openvasmd)
>
>  - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability
>  - Deprecated SSLv2 and SSLv3 Protocol Detection
>  - Check for SSL Weak Ciphers
>
> My version is:
> rpm -qa |grep -i openvas
> openvas-manager-5.0.9-28.el6.art.x86_64
> openvas-scanner-4.0.6-19.el6.art.x86_64
> openvas-libraries-7.0.9-18.el6.art.x86_64
> openvas-1.0-17.el6.art.noarch
> openvas-cli-1.3.1-6.el6.art.x86_64
>
> How should we fix those 3 vulnerabilities?
>
> Thanks,
>
> Diego
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
>
>
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Diego Gomes

Eero, did you already do it?

Sorry but, do you mean that I need to run like this?

openvasmd 
--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
openvassd 
--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"

Thanks,

Diego

Date: Tue, 20 Oct 2015 15:15:14 +0300
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
From: eero.voloti...@iki.fi
To: diego_...@hotmail.com
CC: openvas-discuss@wald.intevation.org

You need to configure gnutls-priority string for each daemon, now you just 
configured it for gsad (greenbone security assistant)
--Eero
2015-10-20 15:07 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:



Hello,

I used this command:

gsad 
--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"

restarted openvas-manager, openvas-scanner, gsad

Started scan against localhost and the same results:
Check for SSL Weak Ciphers - tcp/9390 (6017/openvasmd)
Deprecated SSLv2 and SSLv3 Protocol Detection - tcp/9390 (6017/openvasmd)
POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability - - 
tcp/9390 (6017/openvasmd)

In the /var/log/openvas/gsad.log I see this message (not sure if is because of 
my changes above)

gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive data: 
The TLS connection was non-properly terminated.
gsad main:WARNING:2015-10-20 09h55.07 BRST:6029: MHD: Failed to receive data: 
The TLS connection was non-properly terminated.
gsad main:WARNING:2015-10-20 09h55.48 BRST:6029: MHD: Error: received handshake 
message out of context


Date: Mon, 19 Oct 2015 01:39:10 +0300
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
From: eero.voloti...@iki.fi
To: diego_...@hotmail.com
CC: openvas-discuss@wald.intevation.org

You need to install centos 7 to get openvas 8. Centos 6 is not supported due 
too old library version(s).
I think openvas  7 also supports gnu priority strings, but it is always wise to 
update to lastest version.
--Eero
2015-10-19 1:36 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:



Thanks Eero,

So, Can I understand that I am running openvas 7?

And I understand that atomic team did not release openvas 8, because I did not 
find any update yet.

So, I need to wait for version 8 from atomic corp and use gnutls? I will need 
to study how to do it.

Thanks,

Diego

Date: Mon, 19 Oct 2015 01:32:48 +0300
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
From: eero.voloti...@iki.fi
To: diego_...@hotmail.com
CC: openvas-discuss@wald.intevation.org

well. update to openvas 8 and then use gnutls priority strings to change ssl 
cipher settings..
Eero
2015-10-19 1:28 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:



Hello,

I ran against localhost and I found those Vulnerabilities for tcp/9390 
(openvasmd)

 - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability
 - Deprecated SSLv2 and SSLv3 Protocol Detection
 - Check for SSL Weak Ciphers

 My version is:
rpm -qa |grep -i 
openvasopenvas-manager-5.0.9-28.el6.art.x86_64openvas-scanner-4.0.6-19.el6.art.x86_64openvas-libraries-7.0.9-18.el6.art.x86_64openvas-1.0-17.el6.art.noarchopenvas-cli-1.3.1-6.el6.art.x86_64

How should we fix those 3 vulnerabilities?

Thanks,

Diego


  

___

Openvas-discuss mailing list

Openvas-discuss@wald.intevation.org

https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

  

  

  ___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Reindl Harald



Am 20.10.2015 um 14:15 schrieb Eero Volotinen:

You need to configure gnutls-priority string for each daemon, now you
just configured it for gsad (greenbone security assistant)


the main question remains why a vulnerability scanner complaining about 
other services not at least starts with secure defaults itself without 
user intervention




signature.asc
Description: OpenPGP digital signature
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Diego Gomes

Right, why did not have a step by step to fix it?

of course, everybody wants that no vulnerability in your scanner, right?

and it is very confused to apply those fix

Now, I am not sure if just running:

gsad 
--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"

is enought for gsad. Should I insert it in the systemd as well?

Diego

Date: Tue, 20 Oct 2015 15:31:38 +0300
From: eero.voloti...@iki.fi
To: h.rei...@thelounge.net
CC: openvas-discuss@wald.intevation.org
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS

Yes, It should enable only tlsv1.2 on default settings, if possible :)
--Eero
2015-10-20 15:29 GMT+03:00 Reindl Harald <h.rei...@thelounge.net>:


Am 20.10.2015 um 14:15 schrieb Eero Volotinen:


You need to configure gnutls-priority string for each daemon, now you

just configured it for gsad (greenbone security assistant)




the main question remains why a vulnerability scanner complaining about other 
services not at least starts with secure defaults itself without user 
intervention




___

Openvas-discuss mailing list

Openvas-discuss@wald.intevation.org

https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss



___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss  
  ___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Chris

Hi,

> gsad 
> --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
> 
> restarted openvas-manager, openvas-scanner, gsad
> 
> Started scan against localhost and the same results:

you also need to add this gnutls-priorities to the openvas-manager (openvasmd) 
and openvas-scanner (openvassd) startup.
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Eero Volotinen

and also remember to issue daemon reload to systemd to get modified
startup-script changes to effective.


--
Eero


2015-10-20 15:13 GMT+03:00 Chris :

> Hi,
>
> > gsad
> --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
> >
> > restarted openvas-manager, openvas-scanner, gsad
> >
> > Started scan against localhost and the same results:
>
> you also need to add this gnutls-priorities to the openvas-manager
> (openvasmd) and openvas-scanner (openvassd) startup.
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Eero Volotinen

Yes, It should enable only tlsv1.2 on default settings, if possible :)

--
Eero

2015-10-20 15:29 GMT+03:00 Reindl Harald :

>
> Am 20.10.2015 um 14:15 schrieb Eero Volotinen:
>
>> You need to configure gnutls-priority string for each daemon, now you
>> just configured it for gsad (greenbone security assistant)
>>
>
> the main question remains why a vulnerability scanner complaining about
> other services not at least starts with secure defaults itself without user
> intervention
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Eero Volotinen

Something like that, but should enable only TLSv1.2 for best security.

--
Eero

2015-10-20 15:30 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:

> Thanks Chris,
>
> So, I need to:
>
> vi /usr/lib/systemd/system/openvas-scanner.service
>
> insert
> "--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0""
> this line at the end of the file?
>
> The same for /usr/lib/systemd/system/openvas-manager.service
>
> ?
> Diego
>
> > From: fisch@gmx.de
> > To: openvas-discuss@wald.intevation.org
> > Date: Tue, 20 Oct 2015 14:13:38 +0200
> > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
> >
> > Hi,
> >
> > > gsad
> --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
> > >
> > > restarted openvas-manager, openvas-scanner, gsad
> > >
> > > Started scan against localhost and the same results:
> >
> > you also need to add this gnutls-priorities to the openvas-manager
> (openvasmd) and openvas-scanner (openvassd) startup.
> > ___
> > Openvas-discuss mailing list
> > Openvas-discuss@wald.intevation.org
> >
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Reindl Harald




Am 20.10.2015 um 18:53 schrieb Diego Gomes:

Yes, it seems..

Maybe because I am not so familiar with this method of systemd!

I will try anyway,


it is as simple as i explained

just take a systemd-unit from /usr/lib/systemd/system and copy it to 
/ect/systemd/system - the reason why you first disable it is that enable 
a service is nothing else than a symlink which is still there and links 
to /usr/lib/systemd/system


from the moment on a unit in /etc/systemd/system with the same name 
exists "systemctl enable service" will prefer that instead the one from 
the package


that's really as simple as something can be - try the same with sysvinit 
to prevent your changes overwritten by random updates and you will end 
with think about a different name for the service with all the bad 
impact changed start ordering


having a systemd-unit in /etc/systemd/system called "httpd.service" will 
be handeled exactly like the one shipped with the distribution and so 
any "After=httpd.service" or "Before=httpd-service" will work as before


the only shame is that OpenVAS needs to be secured by the user while it 
is used to find unsecure settings in any other software - i would call 
that situation pervert but that don't change the fact override a 
systemd-unit is as easy as something can be




To: openvas-discuss@wald.intevation.org
From: h.rei...@thelounge.net
Date: Tue, 20 Oct 2015 18:51:19 +0200
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS



Am 20.10.2015 um 18:45 schrieb Diego Gomes:

Thanks Reindl,

It seems a little complicated, right? Does anyone applying it to secure
the own OpenVAS?


there is nothing complicated in clone and edit a systemd-unit and it
should be a regular and well known task for anybody maintaining a server


To: openvas-discuss@wald.intevation.org
From: h.rei...@thelounge.net
Date: Tue, 20 Oct 2015 14:35:23 +0200
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS

Am 20.10.2015 um 14:30 schrieb Diego Gomes:

Thanks Chris,

So, I need to:

vi /usr/lib/systemd/system/openvas-scanner.service


never ever touch /usr/lib/systemd/system/

whatever you touch would be overwritten with the next update and so you
throw away one of the biggest improvements compard to sysvinit

* disable services you want to edit
* copy the systemd-unit to /etc/systemd/system/
* edit the copy there
* enable the service again
* systemctl daemon reload
* systemctl restart servicename


insert
"--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0""
this line at the end of the file?


for sure not at the end of the systemd-unit
what should systemd do with that line?

it's a param for the ExecStart process if there is not a config file


The same for /usr/lib/systemd/system/openvas-manager.service


same as above - don't touch /usr/lib/systemd




signature.asc
Description: OpenPGP digital signature
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-20 Thread Diego Gomes

Thanks Reindl,

It seems a little complicated, right? Does anyone applying it to secure the own 
OpenVAS?

Diego

To: openvas-discuss@wald.intevation.org
From: h.rei...@thelounge.net
Date: Tue, 20 Oct 2015 14:35:23 +0200
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS

 
Am 20.10.2015 um 14:30 schrieb Diego Gomes:
> Thanks Chris,
>
> So, I need to:
>
> vi /usr/lib/systemd/system/openvas-scanner.service
 
never ever touch /usr/lib/systemd/system/
 
whatever you touch would be overwritten with the next update and so you 
throw away one of the biggest improvements compard to sysvinit
 
* disable services you want to edit
* copy the systemd-unit to /etc/systemd/system/
* edit the copy there
* enable the service again
* systemctl daemon reload
* systemctl restart servicename
 
> insert
> "--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0""
> this line at the end of the file?
 
for sure not at the end of the systemd-unit
what should systemd do with that line?
 
it's a param for the ExecStart process if there is not a config file
 
> The same for /usr/lib/systemd/system/openvas-manager.service
 
same as above - don't touch /usr/lib/systemd
 
>  > From: fisch@gmx.de
>  > To: openvas-discuss@wald.intevation.org
>  > Date: Tue, 20 Oct 2015 14:13:38 +0200
>  > Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
>  >
>  > Hi,
>  >
>  > > gsad
> --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"
>  > >
>  > > restarted openvas-manager, openvas-scanner, gsad
>  > >
>  > > Started scan against localhost and the same results:
>  >
>  > you also need to add this gnutls-priorities to the openvas-manager
> (openvasmd) and openvas-scanner (openvassd) startup.
 

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss  
  ___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-18 Thread Eero Volotinen

well. update to openvas 8 and then use gnutls priority strings to change
ssl cipher settings..

Eero

2015-10-19 1:28 GMT+03:00 Diego Gomes :

> Hello,
>
> I ran against localhost and I found those Vulnerabilities for tcp/9390
> (openvasmd)
>
>  - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability
>  - Deprecated SSLv2 and SSLv3 Protocol Detection
>  - Check for SSL Weak Ciphers
>
> My version is:
> rpm -qa |grep -i openvas
> openvas-manager-5.0.9-28.el6.art.x86_64
> openvas-scanner-4.0.6-19.el6.art.x86_64
> openvas-libraries-7.0.9-18.el6.art.x86_64
> openvas-1.0-17.el6.art.noarch
> openvas-cli-1.3.1-6.el6.art.x86_64
>
> How should we fix those 3 vulnerabilities?
>
> Thanks,
>
> Diego
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

2015-10-18 Thread Eero Volotinen

You need to install centos 7 to get openvas 8. Centos 6 is not supported
due too old library version(s).

I think openvas  7 also supports gnu priority strings, but it is always
wise to update to lastest version.

--
Eero

2015-10-19 1:36 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:

> Thanks Eero,
>
> So, Can I understand that I am running openvas 7?
>
> And I understand that atomic team did not release openvas 8, because I did
> not find any update yet.
>
> So, I need to wait for version 8 from atomic corp and use gnutls? I will
> need to study how to do it.
>
> Thanks,
>
> Diego
>
> --
> Date: Mon, 19 Oct 2015 01:32:48 +0300
> Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS
> From: eero.voloti...@iki.fi
> To: diego_...@hotmail.com
> CC: openvas-discuss@wald.intevation.org
>
>
> well. update to openvas 8 and then use gnutls priority strings to change
> ssl cipher settings..
>
> Eero
>
> 2015-10-19 1:28 GMT+03:00 Diego Gomes <diego_...@hotmail.com>:
>
> Hello,
>
> I ran against localhost and I found those Vulnerabilities for tcp/9390
> (openvasmd)
>
>  - POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability
>  - Deprecated SSLv2 and SSLv3 Protocol Detection
>  - Check for SSL Weak Ciphers
>
> My version is:
> rpm -qa |grep -i openvas
> openvas-manager-5.0.9-28.el6.art.x86_64
> openvas-scanner-4.0.6-19.el6.art.x86_64
> openvas-libraries-7.0.9-18.el6.art.x86_64
> openvas-1.0-17.el6.art.noarch
> openvas-cli-1.3.1-6.el6.art.x86_64
>
> How should we fix those 3 vulnerabilities?
>
> Thanks,
>
> Diego
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
>
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

Re: [Openvas-discuss] Vulnerabilities OpenVAS

15 matches

Site Navigation

Mail list logo

Footer information