Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 2 subscribers
  • Views 44120 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My ASG220 Failed latest Trustwave Vulnerability Scan

cottonakin
Our latest Trustwave vulnerability scan failed due to my Astaro Gateway and its Apache dna. Here's the actual failure:

Apache HTTP Server Long-Header Cookie Disclosure Vulnerability:

Remediation:
This issue was fixed with the release of version 2.2.22 of Apache HTTP Server. However, it is strongly recommended that the latest stable version with all of the appropriate patches be installed.

I'm running the latest version of ASG 8.301

Any suggestions?


This thread was automatically locked due to age.
  • 0
    Hi, Cottonakin, and welcome to the User BB!

    You'll need to remove external access to WebAdmin and the User Portal.  There's no real exposure, so you can put those back after the tests are complete.

    I'm not a CISSP though, so maybe BruceK or another would like to confirm to assure you.

    Cheers - Bob
    PS Your reseller should be able to answer such questions, or to submit a support request to Astaro if necessary.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    1)  The version of Apache will be updated in v9, which has just entered public beta on these forums, to fix CVE-2012-0053.

    2)  As a remediation, follow the advise in the Admin Guide and in-line help. 
    "For the sake of a smooth installation of the gateway, the default is Any. This means that the WebAdmin interface can be accessed from everywhere. Change this setting to your internal network(s) as soon as possible. The most secure solution, however, would be to limit the access to the gateway to only one administrator PC through HTTPS."
    .  As much as possible, limit Allowed Networks to specific IP's.  You would also want to do the same for the User Portal if applicable.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Thanks to both of you! I have changed the access to "Internal Network" for both User Portal and Admin and have re-scheduled the scan. I will let you know the results.
  • 0 in reply to cottonakin
    Well, the re-scan still failed for the same issue even with the User Portal and Admin set to Internal Networks. I did receive a response from Astaro support that said the fix is coming out in 8.302 (whenever that ships).
  • 0
    I've had people go through those tests with no issues.  Can you share the exact port?

    Are you using Web Application Security?

    Thanks for explaining - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    No, I'm not using Web Application Security. I have sent you a private message regarding the failed scan.
  • 0
    My email address is my username here combined with our domain listed in my signature.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    There will be a patch for this issue included in 8.302, as well as the upcoming 9.0.
  • 0
    Peter, what is the issue?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    It's an updated build of Apache to remediate CVE-2012-0053
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Cookie Information Banner