000039467 - SSL vulnerability on port 7004 in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Dec 3, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039467
Applies To
RSA Product Set: RSA NetWitness Platform
   RSA Product/Service Type: Core Appliance
   RSA Version/Condition: 11.x
IssueVA scan on Netwitness comes with the following suggestion:
"SSL self-sign certificate detected and SSL certificate can not be trusted on port 7004".


Netstat shows that the port is Listening in NetWitness:
 

[root@xxxxx]# netstat -anp | grep 7004

tcp6       0      0 :::7004                 :::*                    LISTEN      832/java

[root@xxxxx]# ps aux | grep -i 832
netwitn+   832  0.3  2.6 12713104 880056 ?     Sl   Oct19 187:21 /usr/bin/java -Dsun.misc.URLClassPath.disableJarChecking=true -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom -Xmx8G -jar /usr/sbin/investigate-server.jar --rsa.security.pki.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 --rsa.logging.console=false


Also on the firewall we can see this as launch ports:


-A INPUT -p tcp -m tcp -m multiport --dports 7016 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7009 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7015 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7012 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7004 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7020 -m comment --comment "NodeInfraServerPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7006 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7003 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT



These are salt launch ports that are used to communicate with the Analyst UI, Salt master by design needs to expose the modules for minions to understand what is supported.

 
ResolutionThe Assessment can be considered as a false positive as NetWitness uses an Internal CA (no certificate is self-signed). Authenticity is guaranteed as NW services only trust the Internal CA. The possibility of MITM comes only when an attacker manages to steal the CA private key which is well protected. Hence we can consider as not a vulnerability.

Attachments

    Outcomes