Unexpected Results from Nessus Scans on ProxySG and Advanced Secure Gateway Appliances

book

Article ID: 169135

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The CPL policy recommended to prevent issues with the POODLE vulnerability detailed in SA83 cause issues with some vulnerability scans.

Cause

The policy in security advisory SA83 causes NESSUS scans to behave as if SSLv2 and SSLv3 are supported. As a result, NESSUS reports that the appliance is vulnerable due to insecure versions of SSL being supported.

When the policy detailed in SA83 is configured on ProxySG appliance, connections are denied with a policy denied exception page to the client. In order to present the exception page to the client/user, the  appliance completes the SSL/TLS connection between the client and SG even when the client is negotiating SSLv3 or SSLv2. After the exception page is presented, the appliance tears down the connection, without forwarding or proxying any data traffic.
 

Resolution

This policy is necessary in preventing issues with this vulnerability. Symantec recommends that after following all of the recommendations in SA 83, you disregard vulnerability scan reports including reference SSLv2 and SSLv3 as false-positives.

Alternately, enter the following:

<SSL>
client.connection.negotiated_ssl_version=(SSLV2, SSLV3) force_exception(silent_denied)

server.connection.negotiated_ssl_version=(SSLV2, SSLV3) force_exception(silent_denied)

Also if your vulnerability scanning  involves testing the device (SG/ASG/SGVA) itself against SSLv3, SSLv2 , You may still observe that vulnerability tools are reporting SG’s service port 443  is vulnerable , even with the above policy being applied. This can also be considered as false positive because when testing  service port 443 (without connecting to OCS via proxy), SG will intercept the connection and perform SSL handshake (regardless of the SSL version) to present below exception message

Most vulnerability scanner tools considers this as vulnerable as SG is performing SSL handshake . (i.e Server hello , certificate was provided back to the scanner when it offered SSLv3 Client Hello). vulnerability scanner tools does not consider the actual HTTPS response being retuned by the SG. 

This false positive can be corrected as well by changing the listener configuration of proxy service port 433. Navigate under web UI --> Configuration --> Services --> Proxy Services --> edit service "HTTPS" or whichever service has port 443 listener --> Under listeners change "destination" from all to Transparent. This will remove the false positive from the scanner.

Attachments