|Applies To||RSA Product Set: NetWitness Logs & Network |
RSA Product/Service Type: NetWitness Admin
RSA Version/Condition: 11.3.x
Platform: CentOS 7
|Issue||This document outlines the recommendation for remedying salt vulnerabilities CVE-2020-11651 and CVE-2020-11652 by limiting network access to salt on the NwAdmin server.|
This knowledge base article describes how to modify the iptables rules to restrict network access to the salt-master from any non-NetWitness Platform servers. The steps that are provided below are general recommendations for addressing this issue. The following steps are manual changes that are performed on the NwAdmin server. An automated way is in development by NetWitness Engineering. Check back on this article for updates.
Note: The permanent fix for this issue is in RSA NetWitness Platform 220.127.116.11 and above. RSA suggests upgrading to a fixed version as soon as possible.
The following steps are meant to be run on the NwAdmin host only.
The following procedure requires the use of custom firewall rules on the NwAdmin server. If custom firewall rules are not enabled, follow the steps in How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x before continuing.
Note: If no output is returned, ensure that the command is run on the NwAdmin server and that the iptables service is running.
Option A - Single IPs
Run the following command on the NwAdmin server to add each NetWitness Platform host in the environment. Use the exact same line number from the iptables output provided earlier for every iptables rule entry. This allows the customized rules to "stick" together where the old rule existed within iptables.
Note: If the host is using NAT, use the NAT IP address not the host's actual IP address in the command above.
Option B - Subnets
Run the following command on the NwAdmin server to add each subnet that contains the NetWitness Platform hosts in the environment. Use the exact same line number from the iptables output provided earlier for every iptables rule entry. This allows the customized rules to "stick" together where the old rule existed within iptables.
Note: If the host is using NAT, use the CIDR NAT Subnet IP address not the host's actual CIDR Subnet IP in the command above.
Adding New Appliances Post Workaround
If a new appliance must be added to the RSA NetWitness Platform environment while this workaround is active, use the steps above to open the required firewall hole on the NwAdmin server. This must be performed before the new appliance is added to the RSA NetWitness Platform environment, otherwise the orchestration process fails.
Reverting Workaround After Upgrade
The changes in this workaround cause the RSA NetWitness Platform to no longer control the firewall rules on the NwAdmin server. This means that any automated rule changes that RSA makes in the future are not reflected on the NwAdmin server. This workaround should be reverted to RSA NetWitness Platform control (unless your situation dictates otherwise) once upgraded to RSA NetWitness Platform 18.104.22.168 or later. To revert the control of iptables back to RSA NetWitness once upgraded to 22.214.171.124 or later, follow these steps.