Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Resolving InsightVM reported vulnerabilities with NCPA

https://support.nagios.com/forum/viewtopic.php?t=64161

Page 1 of 1

Resolving InsightVM reported vulnerabilities with NCPA

Posted: Thu Dec 09, 2021 9:50 pm
by nagiosusermatthew
NCPA client on windows (port 5693) reports the following

SERVICES
Service Name Product Port Protocol Vulnerabilities Users Groups Authentication
HTTPS ajenti 5693 TCP 4 0 0 Unknown
--
Vulnerability Severity Instances
Untrusted TLS/SSL server X.509 certificate Severe 1
TLS/SSL Server Supports The Use of Static Key Ciphers Moderate 1
Self-signed TLS/SSL certificate Severe 1
HTTP OPTIONS Method Enabled Moderate 1
--
OPTIONS method returned values including itself
--
Negotiated with the following insecure cipher suites:

TLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
--

Can I use domain signed certs on the product? (maybe a silly question, but curious) -- I see where the .crt exists in program files/nagios/ncpa/var. "This is an unsupported workflow" is an OK answer.

Can I turn off the RSA ciphers on the webserver?
Can I turn off HTTP Options on the webserver?

Re: Resolving InsightVM reported vulnerabilities with NCPA

Posted: Fri Dec 10, 2021 5:53 pm
by kfanselow
Hi nagiosusermatthew,

In answer to your questions:

1) You should be able to setup your own certificates for NCPA. By default it generates new self-signed certs but there is an option, "certificates" in the ncpa.cfg config file to specify a certificate to use. Here is a like to the Config Option Reference:

https://www.nagios.org/ncpa/help.php#co ... -reference

2) With regard to the RSA ciphers you should be able to prescribe the cipher suites you would like NCPA use via the ssl_ciphers option in the same config file. NCPA uses openssl so you should be able to find the available ciphers using the openssl ciphers command:

Code: Select all

 openssl ciphers -v
3) HTTP OPTIONS method. Unfortunately this is a little more complex. NCPA uses flask and the OPTIONS method is added automatically. Our development team is aware of the issue and are looking into it. The good news is NCPA is open source so in the mean time you can review the code and qualify the exposure for your auditor or security personnel, or if you're interested in working on it you're welcome to update the code and build a new version in your environment. I'll append links to the github page below.

https://github.com/NagiosEnterprises/ncpa

Here's where the server code is specifically:
https://github.com/NagiosEnterprises/nc ... /server.py


Thanks and Best Regards,
Keith
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited