.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
SSL vulnerability on port 7004 in RSA NetWitness Platform
Issue
VA scan on Netwitness comes with the following suggestion:"SSL self-sign certificate detected and SSL certificate can not be trusted on port 7004".
Netstat shows that the port is Listening in NetWitness:
[root@xxxxx]# netstat -anp | grep 7004
tcp6 0 0 :::7004 :::* LISTEN 832/java
[root@xxxxx]# ps aux | grep -i 832
netwitn+ 832 0.3 2.6 12713104 880056 ? Sl Oct19 187:21 /usr/bin/java -Dsun.misc.URLClassPath.disableJarChecking=true -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom -Xmx8G -jar /usr/sbin/investigate-server.jar --rsa.security.pki.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 --rsa.logging.console=false
Also on the firewall we can see this as launch ports:
-A INPUT -p tcp -m tcp -m multiport --dports 7016 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7009 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7015 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7012 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7004 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7020 -m comment --comment "NodeInfraServerPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7006 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7003 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
tcp6 0 0 :::7004 :::* LISTEN 832/java
[root@xxxxx]# ps aux | grep -i 832
netwitn+ 832 0.3 2.6 12713104 880056 ? Sl Oct19 187:21 /usr/bin/java -Dsun.misc.URLClassPath.disableJarChecking=true -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom -Xmx8G -jar /usr/sbin/investigate-server.jar --rsa.security.pki.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 --rsa.logging.console=false
Also on the firewall we can see this as launch ports:
-A INPUT -p tcp -m tcp -m multiport --dports 7016 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7009 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7015 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7012 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7004 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7020 -m comment --comment "NodeInfraServerPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7006 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 7003 -m comment --comment "LaunchPort" -m conntrack --ctstate NEW -j ACCEPT
These are salt launch ports that are used to communicate with the Analyst UI, Salt master by design needs to expose the modules for minions to understand what is supported.
Resolution
The Assessment can be considered as a false positive as NetWitness uses an Internal CA (no certificate is self-signed). Authenticity is guaranteed as NW services only trust the Internal CA. The possibility of MITM comes only when an attacker manages to steal the CA private key which is well protected. Hence we can consider as not a vulnerability.
Product Details
- Column 1: RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue