OpenVAS gsad service: disable weak ciphers

December 24th at 12:00am

I've been experimenting with OpenVAS for a few months now in my home lab. While the tool can be a bit fiddly at times it has found legitimate issues that would have been difficult for me to identify manually.

One interesting thing to note is that when OpenVAS scans itself (at least for installs that I've performed) is that it defaults to allowing certain weak ciphers. There is general guidance on how to lock-down the ciphers to a more secure configuration - it just requires some massaging if you run OpenVAS as a service which starts on boot.

References

Disable SSLv3 in gsad web server [lists.wald.intevation.org]
Edit the SSL ciphers used by GSAD [wiki.openvas.org]

General guidance is to use this set of gnutls-priorities to prevent exposing SSLv3:

  gsad --gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"

The problem here is that you can't simply copy and paste the priorities into your /etc/init.d/openvas-gsa script as the Web Console won't load and you'll see messages like this when you run systemctl status openvas-gsa:

Dec 24 14:22:22 openvas.rubion.net systemd[1]: Starting LSB: remote network security auditor - gsa...
Dec 24 14:22:22 openvas.rubion.net openvas-gsa[883]: Setting priorities to `"SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"' failed: The request is invalid.
Dec 24 14:22:22 openvas.rubion.net openvas-gsa[883]: Setting priorities to `"SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"' failed: The request is invalid.
Dec 24 14:22:22 openvas.rubion.net systemd[1]: Started LSB: remote network security auditor - gsa.

Solution

The solution to this is pretty straight forward: you just need to remove quotes around the gnutls-priorities directive. Here's what my /etc/init.d/openvas-gsa script looks like after making the modification:

DESC="openvas-gsa"
NAME=gsad
DAEMON=/usr/sbin/gsad
DAEMON_ARGS="--gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"

Verification

Now when I run TLS/SSL investigation tools against my OpenVAS Installation I no longer see any references to SSLv3. The tools I normally use to check for SSLv3 include:

nmap --script ssl-enum-ciphers -p 443 <host> [nmap]
./testssl.sh <host> [TestSSL]

While there are other other ways to check for SSLv3, the above methods have proven to be very capable and robust. TestSSL provides extremely detailed SSL/TLS and cipher information about a remote host and checks for well-known SSL vulnerabilities (like Heartbleed). NMAP is more accessible and tends to be available from most linux package managers.