Eyeglass Appliance Security Hardening Guide



Eyeglass Appliance Security Hardening Guide

Technical Note



Abstract:

This technical note provides a guide to security hardening for the Eyeglass Appliance

January, 2017



.

Eyeglass Appliance 1.8.x Security Hardening Guide


Eyeglass Service Account

Use the Eyeglass service account when adding the Isilon clusters to Eyeglass.

Reference: Isilon Cluster User Minimum Privileges for Eyeglass

Security Vulnerability: TLS Server supports TLSv1.0 and SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)

Mitigation 1: SSLv2 and SSLv3 disabled for lighttpd (default setting)

Mitigation 2: Disable TLS1.0 and 1.1 for lighttpd by following the steps below:

  1. ssh to Eyeglass Appliance as admin user

  2. Type admin password (default password: 3y3gl4ss)

  3. sudo su - (Syntax: sudo<space>su<space>-)

  4. Type admin password (default password: 3y3gl4ss)

  5. edit /etc/lighttpd/lighttpd.conf

on line 426, you will see:

ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"

replace this cipher list with the one below

ssl.cipher-list = "TLSv1.2:!aNULL:!eNULL:!DSS"

  1. Press Esc key and :wq! to save the changes.

  2. Run this command: “systemctl restart lighttpd”

  3. Done

Mitigation 3: Disable TLS1.0 and 1.1 and SSLv2 and SSLv3 for websockets (port 2011 and port 2012) by following the steps below:



  1. ssh to Eyeglass Appliance as admin user

  2. Type admin password (default password: 3y3gl4ss)

  3. sudo su - (Syntax: sudo<space>su<space>-)

  4. Type admin password (default password: 3y3gl4ss)

  5. edit /opt/superna/java/jre1.8.0_05/lib/security/java.security

On line 518, you will see:

#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048

Replace this with one below:

jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048, SSLv2Hello, SSLv3, TLSv1, TLSv1.1

  1. Press Esc key and :wq! to save the changes.

  2. Type this command to restart the Eyeglass service: systemctl restart sca

  3. Done

Security Vulnerability: OpenSSH X11 Command Injection Vulnerability

Mitigation: Upgrade OpenSSH_6.6.1p1 to OpenSSH-7.2.p2-by following the steps below.

This guide will  address the “Security Vulnerability: OpenSSH X11 Command Injection Vulnerability” issue on OpenSuse 13.2

Reference: CVE ID: CVE-2016-3115

If your Eyeglass Appliance is connected directly to the internet, please follow the Online upgrade guide, or else follow the Offline upgrade guide.


FOR ONLINE OpenSSH Upgrade:

IMPORTANT: Please take a “vCenter” snapshot of your current Eyeglass Appliance before conducting the openSSH Package upgrade.

  1. ssh to Eyeglass Appliance as admin user

  2. Type admin password (default password: 3y3gl4ss)

  3. sudo su - (Syntax: sudo<space>su<space>-)

  4. Type admin password (default password: 3y3gl4ss)

  5. Run “ssh -V” to determine your openSSH package version
    [Following upgrade procedure is applied to openSSH_6.6.1p1 → 7.2p2]

  6. Install “wget” to securely copy the RPM file on to your Eyeglass Appliance
    zypper install wget


  7. Download the latest openSSH community build [openSSH-7.2-p2-142.4.x86_64.rpm] for our OS using “wget”.
    wget” http://download.opensuse.org/repositories/network/openSUSE_13.2/x86_64/openssh-7.2p2-142.4.x86_64.rpm


  8. Change permission of the RPM file to 700.

  9. Upgrade the current version of openSSH from openSSH_6.6.1p1 → 7.2p2 by running the command:
    rpm -Uvh openssh-7.2p2-142.4.x86_64.rpm

    [above command will upgrade openSSH package. It is IMPORTANT to check connectivity after upgrading]

  10. Run “systemctl status sshd” to ensure sshd service is up and running

  11. Check the version of SSH after upgrading:
    ssh -V

  12. IMPORTANT: Use another putty session to login to your Eyeglass appliance and check SSH connectivity. Also, login to your Eyeglass appliance from clusters using SSH tunnel to ensure application integrity.


i.e.: In the screenshot, we are trying to SSH to our Eyeglass appliance from oneFS cluster. IP:172.16.85.176 is our Eyeglass appliance IP.


FOR OFFLINE OpenSSH Upgrade:

IMPORTANT: Please take a “vCenter” snapshot of your current Eyeglass Appliance before conducting the openSSH Package upgrade.


  1. Browse to the following website and download the appropriate RPM package for openSSH7.2:
    [http://download.opensuse.org/repositories/network/openSUSE_13.2/x86_64/]

    You will be presented with a list of available RPM. Click on the .rpm file you want to download. In our case, we downloaded the openssh-7.2p2-142.4.x86_64.rpm


  2. If you are using “Windows” OS, typically the file will be download in “C:\users\xxx\Downloads” folder.

  3. Download “WinSCP” and copy the RPM file over to your Eyeglass Appliance. Our dir location “/home/admin

  4. Change file permission by right click on the .rpm file. Then go to properties.



  1. Set the file permission to 0700

  2. ssh to Eyeglass Appliance as admin user

  3. Type admin password (default password: 3y3gl4ss)

  4. sudo su - (Syntax: sudo<space>su<space>-)

  5. Type admin password (default password: 3y3gl4ss)

  6. Browse to “/home/admin” [where you saved the .rpm file] and upgrade the current version of openSSH from openSSH_6.6-1p1 → 7.2p2 by running the command:
    rpm -Uvh openssh-7.2p2-142.4.x86_64.rpm


    [above command will upgrade openSSH package. It is IMPORTANT to check connectivity after upgrading]

  7. Run “systemctl status sshd” to ensure sshd service is up and running

  8. Check the version of SSH after upgrading:
    ssh -V


.

  1. IMPORTANT: Use another putty session to login to your Eyeglass appliance and check SSH connectivity. Also, login to your Eyeglass appliance from clusters using SSH tunnel to ensure application integrity.

    i.e.: In the screenshot, we are trying to SSH to our Eyeglass appliance from oneFS cluster. IP:172.16.85.176 is our Eyeglass appliance IP.

Eyeglass with OpenSuse 42.3





CVE

Description

Eyeglass OpenSuse 42.3

Status

NTP

CVE-2016-7429

NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source, which allows remote attackers to cause a denial of service (prevent communication with a source) by sending a response for a source to an interface the source does not use.

4.2.8p10-30.1

OK

Reference: https://www.suse.com/security/cve/CVE-2016-7429/

CVE-2016-7431

NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression.

4.2.8p10-30.1

OK

Reference:

https://www.suse.com/security/cve/CVE-2016-7431/

CVE-2016-7433

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

4.2.8p10-30.1

OK

Reference:

https://www.suse.com/security/cve/CVE-2016-7433/

CVE-2016-7434


The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.

4.2.8p10-30.1

OK

Reference:

https://www.suse.com/security/cve/CVE-2016-7434/

CVE-2016-9310

The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet

4.2.8p10-30.1

OK.

Reference:

https://www.suse.com/security/cve/CVE-2016-9310/

SSH

CVE-2016-10012



The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10012/

CVE-2016-10011


authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10011/

CVE-2016-10010

sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10010/

CVE-2016-10009

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10009/