Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSM Nessus scan #5676

Closed
richardstone opened this issue May 5, 2022 · 7 comments
Closed

NSM Nessus scan #5676

richardstone opened this issue May 5, 2022 · 7 comments
Assignees
@NikitaSkrynnik
Milestone
v1.4.0

Comments

@richardstone
Copy link

Nessus scan found 2 critical vulnerabilities of NSM, that the registry and the nsmgr accepts TLS 1.0 and TLS 1.1 on their ports (5002 and 5001).
image
image

Could you check how this could be handled?
Thanks!
@denis-tingaikin
Copy link
Member

@edwarnicke I think we should consider this one on the bug fix week

@denis-tingaikin denis-tingaikin added this to the v1.4.0 milestone May 5, 2022
@edwarnicke
Copy link
Member

@richardstone will definitely check into it.

@denis-tingaikin
Copy link
Member

@edwarnicke , @richardstone Do you have any updates?

@NikitaSkrynnik
Copy link
Collaborator

@richardstone Hello! I tried to check TLS versions with openssl. Here are the results:

TLS 1.0

kubectl exec -n nsm-system nsmgr-4g8bl -c nsmgr -- openssl s_client -connect registry:5002 -tls1

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
40576FDDCB7F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
command terminated with exit code 1

TLS 1.1

kubectl exec -n nsm-system nsmgr-4g8bl -c nsmgr -- openssl s_client -connect registry:5002 -tls1_1

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
4057CACD937F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
command terminated with exit code 1

TLS 1.2

kubectl exec -n nsm-system nsmgr-4g8bl -c nsmgr -- openssl s_client -connect registry:5002 -tls1_2

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
command terminated with exit code 1
nikita@nikita-B360M-D3H:~$ kubectl exec -n nsm-system nsmgr-4g8bl -c nsmgr -- openssl s_client -connect registry:5002 -tls1_1
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
4057CACD937F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
command terminated with exit code 1
nikita@nikita-B360M-D3H:~$ kubectl exec -n nsm-system nsmgr-4g8bl -c nsmgr -- openssl s_client -connect registry:5002 -tls1_2
Can't use SSL_get_servername
depth=0 C = US, O = SPIRE, CN = registry-k8s-6df6686867-xbn8x
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, O = SPIRE, CN = registry-k8s-6df6686867-xbn8x
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, O = SPIRE, CN = registry-k8s-6df6686867-xbn8x
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:C = US, O = SPIRE, CN = registry-k8s-6df6686867-xbn8x
   i:C = US, O = SPIFFE
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 16 08:40:59 2022 GMT; NotAfter: May 16 09:41:09 2022 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIRALrU3E0QDpR/W0WC3+iP/9QwDQYJKoZIhvcNAQELBQAw
HjELMAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTAeFw0yMjA1MTYwODQwNTla
Fw0yMjA1MTYwOTQxMDlaMEUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQKEwVTUElSRTEm
MCQGA1UEAxMdcmVnaXN0cnktazhzLTZkZjY2ODY4NjcteGJuOHgwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAARSXQJR3LnrhyA+F4pkJHx4yd7HdU47wjEBk/j3L0hK
uPHZpJoqdHv9jdZvRRYdaA5LfuNss2TDFGIOWhIiWGq5o4IBDDCCAQgwDgYDVR0P
AQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBQ9oa/3SqtrSYX0WFcVpfKcNwInpjAfBgNVHSMEGDAW
gBRvV5/vFtMG2b2erSHkWgaYXqzi+zCBiAYDVR0RBIGAMH6CHXJlZ2lzdHJ5LWs4
cy02ZGY2Njg2ODY3LXhibjh4ghdyZWdpc3RyeS5uc20tc3lzdGVtLnN2Y4ZEc3Bp
ZmZlOi8vZXhhbXBsZS5vcmcvbnMvbnNtLXN5c3RlbS9wb2QvcmVnaXN0cnktazhz
LTZkZjY2ODY4NjcteGJuOHgwDQYJKoZIhvcNAQELBQADggEBAAXL4oMD8ds7f2XL
N1xlGajBXN0dwEyoI2tUErxT5bEWClxywxPUEf0JnikRGXOlKQLbYtHZmg+6lkHv
UlBFozYIqRJMJu/F43XMSro0y/R53AAovs1LpkxZMdYjSIXDnm6n7If4ll+46ECo
clFovE3DUAJK67jzfxdWKDht4wRFYm6R+79LfZoOld1H/GhQDikyFShOUZNpIdU+
gqvGZBV1gaagOj9z+sptowXlKnYjk1jl834k2hDtt/rQfEnyD6TkANYRfAnaeRF5
wsTZWiaK7yB2Em0XswU1/ppcO/Hz+0UBKZnezl5NesZHNr9rP2bX7mXJ3Ktw1r5p
DkmRioM=
-----END CERTIFICATE-----
subject=C = US, O = SPIRE, CN = registry-k8s-6df6686867-xbn8x
issuer=C = US, O = SPIFFE
---
No client certificate CA names sent
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1076 bytes and written 293 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 0D5ED5F9DECBDDB29B6C5A50ED70E24F7461C530E9AF342BAC4511DBE5EB924C71C77F021493C15C9BB3407AA5A2BC45
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1652691184
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

Looks like registry doesn't accept TLS 1.0 and TLS 1.1 on port 5002. Is there any other way to check this?

@edwarnicke
Copy link
Member

@NikitaSkrynnik Great investigation!

If it turns out after further investigation we are accepting TLS1 or TLS1.1 this is how we would peg to a minversion of TLS:

networkservicemesh/cmd-forwarder-vpp#627

Also done here:

networkservicemesh/cmd-nse-simple-vl3-docker#5

If we are actually (contrary to your findings) exposing TLS1 and TLS1.1 we'd need to do this to all cmd-* repos.

@denis-tingaikin
Copy link
Member

@edwarnicke I think we can start with single application, lets check that forwarwder-vpp will be fine with TLS version patch

This was referenced May 23, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@denis-tingaikin
Copy link
Member

@richardstone
The issue should be solved for the latest main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NikitaSkrynnik NikitaSkrynnik

Labels
None yet
Projects
None yet
Milestone
v1.4.0
Development

No branches or pull requests
4 participants
@edwarnicke @richardstone @denis-tingaikin @NikitaSkrynnik