Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsecure default settings FlashMQ / nginx on Cerbo GX #1406

Open
helgegrimm opened this issue Dec 24, 2024 · 1 comment
Open

Unsecure default settings FlashMQ / nginx on Cerbo GX #1406

helgegrimm opened this issue Dec 24, 2024 · 1 comment

Comments

@helgegrimm
Copy link

Device: Cerbo GX
Firmware: v3.51
Services: TLS enabled Nginx at Port 443 and FlashMQ on Port 8883

Cerbo GX was scanned via Greenbone CE. Results see below:

1. DoS vulnerabilities:
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.
CVE-2011-1473 & CVE-2011-5094

The following indicates that the remote SSL/TLS service is affected:
Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection
TLSv1.1 | 10
TLSv1.2 | 10

The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols.

2. deprecated TLSv1.0 and 1.1 protocol usage
It was possible to detect the usage of the deprecated TLSv1.0 and/or TLSv1.1 protocol on this system.

In addition to TLSv1.2+ the service is also providing the deprecated TLSv1.0 and TLSv1.1 protocols and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Supported Cipher Suites' (OID: 1.3.6.1.4.1.25623.1.0.802067) VT.

The TLSv1.0 and TLSv1.1 protocols contain known cryptographic flaws like:

  • CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST)
  • CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded Legacy Encryption (FREAK)

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

It is recommended to disable the deprecated TLSv1.0 and/or TLSv1.1 protocols in favor of the TLSv1.2+ protocols.

Possible solution nginx:
In /etc/nginx/nginx.conf disable TLSv1.0 and TLSv1.1 protocols by changing
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
into
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE, dropping TLSv1 and TLSv1.1, ref: BEAST, FREAK

Possible solution FlashMQ:
build fixed version of FlashMQ, see https://github.com/halfgaar/FlashMQ/blob/master/bridgeconfig.cpp
SSL_CTX_set_options(sslctx->get(), SSL_OP_NO_SSLv3); // TODO: config option
SSL_CTX_set_options(sslctx->get(), SSL_OP_NO_TLSv1); // TODO: config option
add
SSL_CTX_set_options(sslctx->get(), SSL_OP_NO_TLSv1_1); // disabling TLSv1_1
@helgegrimm
Copy link
Author

addendum possible solution FlashMQ:
also https://github.com/halfgaar/FlashMQ/blob/master/listener.cpp need to be extended with this line at the suitable position:
SSL_CTX_set_options(sslctx->get(), SSL_OP_NO_TLSv1_1); // disabling TLSv1_1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@helgegrimm