Untangle NGFW found to be leaking.

[gpg]

Our Untangle current build...
Build: 15.0.0.20200319T120445.4755a056cd-1stretch
Kernel: 4.9.0-11-untangle-amd64

We have gone through a security review and our security consultants have found our Untangle NGFW to be leaking information that it should have kept hidden i.e. closed ports vs filtered and HTTP headers from browsers as they egress network. Do I have something misconfigured?

Also, the Untangle NGFW has an Open SSL issue that is critical. I am using OpenVPN and since Untangle NGFW is a few versions older than the latest release is it time to use a different VPN solution?

Thanks,
gpg

 

[Sky-Knight]

Need more data...

What's here is unactionable. What scan did you run? What ports did it find "open"?

Also, while Untangle has older versions of stuff, it's also got all the back ported security updates. So you cannot match on version number alone... which is what most scans do.

I will say that by default, Untangle's exterior is all "stealth". UDP 1194 opens with OpenVPN, but that's it.

And "headers" WTF? Those don't "leak" that's how browsers work. What are you doing?

 

[gpg]

What scan did you run?

Security consultants used Nessus for all scans. Port they found open? That's the thing, I don't allow SSH or WAN access to the Untangle. I have it limited to be accessed only via our LAN. As far as what I am doing, I am running a DMZ with multiple sites that will be transferred to the cloud or totally eliminated asap.

 

[Sky-Knight]

I'm still confused...

Transferring those services do the cloud doesn't change their nature.

The Nessus scan against your WAN isn't a snapshot of Untangle, it's a snapshot of the IP ADDRESSES SCANNED. Which is to say, it's a snapshot of all of the exposed services on any of those IP addresses.

So, how many devices are being scanned? Well... it's Untangle + every port forward / number of systems forwarded to. That total, is what you're "securing". Stuffing it into the cloud changes nothing, it just changes the IP addresses you need to scan. But most don't bother to change the list, they just assume oh well... my WAN IP is 100% stealth so I'm safe! No... you aren't.

But that isn't to say shoving services into the cloud is a bad option, you just don't do it for "security reasons".

 

[phaZed]

@Sky-Knight As per the OPs "header" issue - It's likely that he needs to change the default headers to NOT report the NGINX/Apache/etc. server version. That fingerprinting is useful in hacking campaigns to know which vulnerabilities to apply/look for. Proxy info can also be leaked via headers...

 

[Sky-Knight]

@Sky-Knight As per the OPs "header" issue - It's likely that he needs to change the default headers to NOT report the NGINX/Apache/etc. server version. That fingerprinting is useful in hacking campaigns to know which vulnerabilities to apply/look for. Proxy info can also be leaked via headers...

On his server perhaps... but not on the Untangle.

/etc/apache2/conf-enabled/security.conf contains:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

These three settings I actually suggested to the dev team over a decade ago. Untangle's inbuilt Apache service simply reports "Apache" when you ask as a result.

And it's funny because I suggested those changes, when I ran Nessus against Untangle ages ago. I haven't done it in quite some time... perhaps I should again.

 

[Sky-Knight]

Used Firefox's inspector feature to look, here's the headers from my Untangle:

HTTP/1.1 302 Found
Date: Mon, 04 May 2020 20:42:44 GMT
Server: Apache
Location: https://10.10.10.1:444/setup/welcome.do
Content-Length: 223
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

See the server field? That's full production Apache, that's what we want...

So without further details on what the scanner is reporting, I have no idea what the OP is seeing. But it would stand to reason there's another web service at play here via port forward that isn't configured correctly. Moving that to the cloud won't fix it, just move it.