Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure

Our security scan identified this issue on our SAM server. The scan uses port 5671. Is there an update/patch for this issue or is there a way to resolve this on the SAM server?

Additional information:

The remote host is affected by an information disclosure vulnerability. The SSL/TLS service supports RSA key exchanges, and incorrectly leaks whether or not the RSA key exchange sent by a client was correctly formatted. This information can allow an attacker to decrypt previous SSL/TLS sessions or impersonate the server.

CVE-2012-5081

CVE-2017-6168

CVE-2017-1000385

CVE-2017-17382

CVE-2017-17427

CVE-2017-17428

CVE-2017-12373

CVE-2017-13098

CVE-2017-13099

CVE-2016-6883

Find more posts tagged with

TLS

cipher

server and application monitor

rsa

Accepted answers

All comments

leigham_martin

Hello jmmd

what vulnerability scanner system are you using?

We use Tenable's Security Center or 'Nessus' and nothing has flagged up on our Orion server for this port and vulnerability. I am on the very latest Orion and SAM version too.

Port 5671 is running on epmd.exe which is located here: \Program Files (x86)\SolarWinds\Orion\Erlang\erts-7.1\bin

I believe this is to do with RabbitMQ potentially? which is a component that SolarWinds uses?

You can use IISCrypto - Nartac Software - IIS Crypto

I believe locking down some of the weak ciphers and protocols will solve your issue.

Run the IISCrypto.exe on the SAM server, go to templates, use the drop down to select PCI 3.1, go back to cipher suites, untick TLS_RSA_WITH_3DES_CBC_SHA, go to SChannel tab, tick TLS 1.0.

Apply changes, reboot your SAM server, re-run your vulnerability scan or do a remediation scan which re-scans the specific vulnerability to remove it from your stats (if its fixed)

Please reply back when you've done the above and let me know if its solved your issue!

Kind Regards,

jmmd

We're also using Nessus. We also use IISCrypto to disable weak cipher suites and protocols. On the protocols tab we just have TLS1.0,1.1 and 1.2 selected. All the ciphers that contained 3DES have already been disabled a long time ago.

This is the version information from SAM

Orion Platform 2017.1.2 SP2, DPAIM 11.0.0, VIM 7.1.0, QoE 2.3, CloudMonitoring 1.0.0, SAM 6.4.0

We've been running this version for a while but the finding just came up about two weeks ago. It's a plugin that isn't normally enabled at least in our system in the Nessus policy. Have you confirmed that the plugin mentioned above is enabled in your scan policy?

leigham_martin

Ahh, well thats good, makes life easier to compare our results if we are using the same vuln scanner.

Seems like you also know what your doing over there as far as SSL/TLS and weak ciphers go.

My versions are as follows;

Orion Platform 2017.3.3 SP3, WPM 2.2.1, DPAIM 11.1.0, VMAN 8.1.0, QoE 2.4, CloudMonitoring 1.1.0, SAM 6.5.0

Seems i am on the very latest version of everything compared to yourself, your SAM is 6.4 and your Orion 2017.1.2 SP2.

Might be worth upgrading your system and then see if that solves your vulnerability issues? That really is the only explanation between our setups and we both use the same vuln scanner.

Let me know what you think!

Regards,

jmmd

We're unable to move to 6.5 without switching servers since we're still on 2008R2 which is not supported on SAM 6.5

I will look into the Orion platform hotfixes to see if those make any difference. I believe HF3 for Orion is the newest release available for SAM 6.4

mvw

SolarWinds will most likely want to update RabbitMQ/Erlang to a version that fixes this vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2017-1000385

https://robotattack.org/

In the meantime, I found a workaround, which is to modify

C:\ProgramData\Solarwinds\Orion\RabbitMQ\rabbitmq.conf

and remove the following items from the ssl_options/ciphers list:

{rsa, aes_256_cbc, sha256}

{rsa, aes_128_cbc, sha256}

Disabling these ciphers resolves the vulnerability and allows it to scan clean on Nessus.

jmmd

Great, I'll give that a try! Thanks for the reply.

leigham_martin

This useful to know so you can manually change these options if you want to. But, i dont get this vulnerability highlighted on my SAM server and i use Tenables Security Center / Nessus so i can only assume SolarWinds fixed it in there latest HF's or releases.

mvw

That is possible, we haven’t applied 2017.3 Hotfix 4 yet.