Enviroment

Affects Versions: 4.2 - current

Description

Overall Assessment: dynaTrace handles all known reported severe vulnerabilities in the latest versions, some additional steps to avoid reported vulnerabilities are investigated and are integrated in future versions.

Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

  • Details about the Vulnerability: http://www.kb.cert.org/vuls/id/867593
  • dynaTrace Assessment: An Attacker would need to inject code into the Browser by using another vulnerability such as cross-domain browser vulnerabilities and could then use this to access sensitive information. The overall "severity metric" from CERT from this is 3,71 in a range from 0 to 180, with 180 being the most severe.
  • Status: dynaTrace has disabled HTTP Trace/Track in 4.1 for port 8020/8021 (internal link: JLT-46502) and for port 8023 in 4.2 (internal link: JLT-57829). Alternatively port 8023 can be shut down by disabling support for HTTP tunneling under "Settings -> Server Preferences -> Services -> HTTP Tunnel Service".

Support of "unsafe" SSL protocol ciphers

This includes vulnerabilities reported under the following headings:

  • "SSL port allows LOW encryption ciphers"
  • "SSL Server Allows Anonymous Authentication Vulnerability"
  • "SSL Server Allows Cleartext Communication Vulnerability"
  • "SSL Server Supports Weak Encryption Vulnerability"
  • "SSL Server May Be Forced to Use Weak Encryption Vulnerability"
  • dynaTrace Assessment: The SSL protocol allows negotiation of the encryption cipher as part of the initial connection handshake. If a communication server allows potentially unsafe encryption ciphers, connections using such weak encryption method could theoretically be circumvented and sensitive information that is transmitted could be read. dynaTrace Client/dynaTrace Collector and dynaTrace Server will always choose a HIGH encryption cipher regardless of the set of supported ciphers. However it is still useful to disable ciphers deemed unsafe to ensure safe usage of encryption ciphers in all cases.
  • Status: Unfortunately the security scan report does not state which exact enabled ciphers are deemed unsafe, therefore it is impossible to determine the exact set of ciphers that are set as LOW in the security scan. A number of ciphers that are generally deemed unsafe are excluded in dynaTrace by default. (internal link: JLT-46503, JLT-51541)
    Version 4.2 and newer allow to disable specific ciphers if a specific installation requires this vulnerability to be prevented by adding a system property -Dcom.dynatrace.diagnostics.ssl.ciphers.unsafe=<comma-separated-list-of-ciphers> to the file dtserver.ini and dtcollector.ini. (internal link: JLT-52663)

As of Version 4.1 - April Update and 4.2 GA, only the following ciphers are enabled:

SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5

SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability

  • dynaTrace Assessment: There is a possibility of an attack if SSL communication uses a CBC based cipher. The vulnerability is reported, because the dynaTrace Server reports CBC based cipher as being "supported" by the SSL server side implementation. However all parts involved in dynaTrace SSL communication negotiate a stronger encryption cipher and thus will not use any of the CBC based ciphers.
  • Status: dynaTrace does not rank this as a severe vulnerability because the communication peers are negotiating stronger ciphers and thus dynaTrace does not provide a hotfix for this vulnerability for now.
    Version 4.2 and newer allow to disable specific ciphers if a specific installation requires this vulnerability to be prevented by adding a system property -Dcom.dynatrace.diagnostics.ssl.ciphers.unsafe=<comma-separated-list-of-ciphers> to the file dtserver.ini and dtcollector.ini. (internal link: JLT-52663)

Slow HTTP headers vulnerability

  • Details about the Vulnerability: An attacker could send the data for the initial HTTP communication very slowly and thus keep the connection open for a prolonged time. By doing this multiple times, resources on the Server can be exhausted in a "denial of server" type of attack.
  • dynaTrace Assessment: Analysis of this report indicates that only the REST interfaces of dynaTrace Server would be affected with this "denial of service" type of attack, the overall operation of dynaTrace Server would not be affected. (internal link: JLT-53496)

SSL Certificate - Self-Signed Certificate - - SSL Certificate - Subject Common Name Does Not Match Server FQDN - SSL Certificate Cannot Be Trusted - SSL Certificate with Wrong Hostname

  • Status: dynaTrace delivers a self-signed SSL certificate. In a security critical environment, a proper signed certificate needs to be purchased by the customer and installed. Please contact dynaTrace Support for further details.
    "SSL Certificate - Signature Verification Failed Vulnerability": See "SSL Certificate - Self-Signed Certificate"

Path-Based Vulnerability

  • Status: Some elements on the website that is provided by the dynaTrace Server are publicly available in default setups, please contact Support for information how configuration can be adjusted to require authentication for all pages of the Website of the dynTrace Server.

Possible Clickjacking vulnerability

  • Details about the Vulnerability: Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
  • dynaTrace Assessment: The "X-Frame-Options" HTTP Header is supported by Internet Browsers to prevent pages from being embedded in HTML IFRAMEs. On the other hand there are valid use cases for the dynaTrace Server website where one might include the page in an IFRAME, e.g. in corporate networks, where click-jacking is not an issue. Therefore we decided to allow to only turn on click-jacking prevention if necessary. In order to stay backwards compatible the feature is not enabled by default, but can be enabled on demand.
  • Status: Starting with 4.2, this vulnerability can be eliminated by instructing the browser to disallow using a page within an IFRAME. In order to do this the server system property com.dynatrace.diagnostics.http.header.frameoptions can be set to "DENY" or "SAMEORIGIN". As a consequence the HTTP Server sets the "X-Frame-Options" HTTP header with the specified value to responses.

Web Common Credentials

  • Details about the Vulnerability: In the default setup, it is possible to access protected web pages with common credentials.
  • dynaTrace Assessment: This is a setup issue, the password for the admin user should be changed as soon as installation is done.
  • Status: Change the password for the admin user in order to not use a common user/password-combination which can easily be guessed.

Insecure Communication Has Been Detected - Web Server Uses Basic Authentication Without HTTPS

  • Details about the Vulnerability: Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being
    compromised and exposing cardholder data.
  • dynaTrace Assessment: The default setup of dynaTrace allows HTTP (i.e. non-SSL) communication on port 8020. This can be disabled via configuration changes.
  • Status: Disable non-SSL communication in the Server-Preferences under "Services - Management".

SSL/TLS Renegotiation DoS Vulnerability

  • dynaTrace Assessment: The Java SSL implementation does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.
  • Status: dynaTrace does not rank this as a severe vulnerability as discussion revealed that other, easier attack vectors exist and there are ways to mitigate this attack via operating system functionality, e.g. there is an extensive discussion about possible mitigation and other attack vectors at http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html. Also the state of the vulnerability is currently listed as "disputed" on the official pages related to it.

TLS Renegotiation Attack

  • Details about the Vulnerability: A security vulnerability in versions of the Transport Layer Security (TLS) protocol (including the older Secure Socket Layer (SSLv3)) can allow Man-In-The-Middle (MITM) type attacks where chosen plain text is injected as a prefix to a TLS connection.
  • dynaTrace Assessment: This has been addressed by Oracle as part of security updates to Java, see this detailed Readme for details. dynaTrace is delivered with a version of the Java VM which includes these patches which enable a safe set of settings by default. However the strictest possible settings are not enabled by default.
  • Status: The Readme from Oracle describes how to enforce safe renogiation via setting the following system properties sun.security.ssl.allowUnsafeRenegotiation=false and sun.security.ssl.allowLegacyHelloMessages=false. In order to enforce this for dynaTrace, put these properties into any of the involved ini-files, i.e. dtserver.ini, dtclient.ini, dtcollector.ini.
    If you are not using the provided Java runtime to run any of the dynaTrace components, you will need to ensure that an up-to-date version of Java is used for executing dynaTrace components.