000038869 - Salt Vulnerabilities Response for RSA NetWitness Platform 11.3.x

Document created by RSA Customer Support Employee on May 19, 2020Last modified by RSA Customer Support Employee on May 19, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038869
Applies ToRSA Product Set: NetWitness Logs & Network 
RSA Product/Service Type: NetWitness Admin
RSA Version/Condition: 11.3.x
Platform: CentOS 7
IssueThis document outlines the recommendation for remedying salt vulnerabilities CVE-2020-11651 and CVE-2020-11652 by limiting network access to salt on the NwAdmin server. 
Resolution

This knowledge base article describes how to modify the iptables rules to restrict network access to the salt-master from any non-NetWitness Platform servers. The steps that are provided below are general recommendations for addressing this issue. The following steps are manual changes that are performed on the NwAdmin server. An automated way is in development by NetWitness Engineering. Check back on this article for updates.



Note: The permanent fix for this issue is in RSA NetWitness Platform 11.4.1.1 and above. RSA suggests upgrading to a fixed version as soon as possible.



Procedure



The following steps are meant to be run on the NwAdmin host only.



The following procedure requires the use of custom firewall rules on the NwAdmin server. If custom firewall rules are not enabled, follow the steps in How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x before continuing.



  1. Make a backup of the current iptables configuration on the NwAdmin server:


cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup


  1. The line number for the entry must be determined in order to remove the existing salt rule from iptables:


iptables --line-numbers -L | grep '4505\|4506'


Example output:




[root@NWAPPLIANCE15816 ~]# iptables --line-numbers -L | grep '4505\|4506'
4 ACCEPT tcp -- anywhere anywhere tcp multiport dports 4505,4506 /* salt master ports */


 


Note: If no output is returned, ensure that the command is run on the NwAdmin server and that the iptables service is running.


  1. Using the line number from the previous command, in the example above its 4, run the following command to remove the current salt firewall rule.


iptables -D INPUT <line number>


For example:




iptables -D INPUT 4


  1. The salt-master process can be restricted in two different ways using iptables, individual IP address or by subnets. Customers with large deployments that do not want a large iptables rule set may explore using the subnet option over the individual IP addresses.

Option A - Single IPs



Run the following command on the NwAdmin server to add each NetWitness Platform host in the environment. Use the exact same line number from the iptables output provided earlier for every iptables rule entry. This allows the customized rules to "stick" together where the old rule existed within iptables.




iptables -I INPUT <line number> -p tcp -s <IP Address> --match multiport --dport 4505,4506 -m conntrack --cstate NEW,ESTABLISHED -j ACCEPT


For example:




iptables -I INPUT 4 -p tcp -s 10.10.10.12 --match multiport --dport 4505,4506 -m conntrack --cstate NEW,ESTABLISHED -j ACCEPT

 

Note: If the host is using NAT, use the NAT IP address not the host's actual IP address in the command above.


Option B - Subnets



Run the following command on the NwAdmin server to add each subnet that contains the NetWitness Platform hosts in the environment. Use the exact same line number from the iptables output provided earlier for every iptables rule entry. This allows the customized rules to "stick" together where the old rule existed within iptables.



iptables -I INPUT <line number> -p tcp -s <CIDR Subnet IP> --match multiport --dport 4505,4506 -m conntrack --cstate NEW,ESTABLISHED -j ACCEPT


For example:




iptables -I INPUT 4 -p tcp -s 10.10.10.0/24 --match multiport --dport 4505,4506 -m conntrack --cstate NEW,ESTABLISHED -j ACCEPT


Note: If the host is using NAT, use the CIDR NAT Subnet IP address not the host's actual CIDR Subnet IP in the command above.



  1. Save the newly changed iptables.


service iptables save


  1. Verify that the iptables rules are loaded and saved correctly with the following commands:


iptables -L
less /etc/sysconfig/iptables


 

Adding New Appliances Post Workaround


If a new appliance must be added to the RSA NetWitness Platform environment while this workaround is active, use the steps above to open the required firewall hole on the NwAdmin server. This must be performed before the new appliance is added to the RSA NetWitness Platform environment, otherwise the orchestration process fails.

Reverting Workaround After Upgrade



The changes in this workaround cause the RSA NetWitness Platform to no longer control the firewall rules on the NwAdmin server. This means that any automated rule changes that RSA makes in the future are not reflected on the NwAdmin server. This workaround should be reverted to RSA NetWitness Platform control (unless your situation dictates otherwise) once upgraded to RSA NetWitness Platform 11.4.1.1 or later. To revert the control of iptables back to RSA NetWitness once upgraded to 11.4.1.1 or later, follow these steps.



  1. Review How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x and follow the instructions on the NwAdmin server but change the custom-firewall from true to false.
  2. Once done with the previous knowledge base article, run the following command on the NwAdmin server.


orchestration-cli-client --update-admin-node

Attachments

    Outcomes