Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Jun 2020
    Posts
    5

    Question PCI Failure / Secure Cookies

    Hello,

    I am having issues with my PCI DSS scan failing due to "Insecure configuration of Cookie
    attributes, CVE-NO-MATCH" on my Untangle. I have looked through settings and can't seem to find a place to set secure cookie attributes for the public facing interface on my appliance. Any help would be appreciated.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,891

    Default

    Turn off the public facing interface on your appliance. It's asking for trouble. Setup OpenVPN (or IPSec or Wiregaurd if you have them) and use the VPN when you need to administer Untangle from off site.
    davidelliott likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.4.1 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Newbie
    Join Date
    Jun 2020
    Posts
    5

    Default

    It is entirely possible that I am not fully understanding as I am new to this type of environment but if I disable the public facing interface would that not completely remove the link needed for my PCI scan to take place? The external interface on the console has the IP address used for the scan.

    This system was already in place when I took this position and is not how I would have set things up to begin with but I have no ability to change it now so I'm just running with what I've got available.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,809

    Default

    By default UT NGFW has no WAN services visible to the outside.

    Do you have port forwards?

    Are you bridging to the WAN?

    Did you make changes to Config -> Network -> Advanced -> Access Rules.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Jun 2020
    Posts
    5

    Default

    Quote Originally Posted by jcoffin View Post
    By default UT NGFW has no WAN services visible to the outside.

    Do you have port forwards?

    Are you bridging to the WAN?

    Did you make changes to Config -> Network -> Advanced -> Access Rules.
    I have no enabled port forwarding rules and I am not bridging to the WAN. I have a WAN interface with an internet connection coming inbound and a LAN interface I use for the internal office.

    I have not made any changes to Access Rules with the exception of disabling SSH. Allow HTTPS on WANs is enabled, should I be disabling that setting?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    Exception of disabling SSH? It's disabled by default... Allow HTTPs on WANs is what's causing your issue and that is ALSO not enabled by default.

    So yes, you've made changes to your access rules, huge hairy ugly and dangerous changes.
    jcoffin likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Jun 2020
    Posts
    5

    Default

    Quote Originally Posted by sky-knight View Post
    Exception of disabling SSH? It's disabled by default... Allow HTTPs on WANs is what's causing your issue and that is ALSO not enabled by default.

    So yes, you've made changes to your access rules, huge hairy ugly and dangerous changes.
    I'm working with the setup that was in place when I got moved into my current role so to my knowledge I thought it was enabled by default. Thanks though

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    Quote Originally Posted by davidelliott View Post
    I'm working with the setup that was in place when I got moved into my current role so to my knowledge I thought it was enabled by default. Thanks though
    That's exceedingly unfortunate. That means you don't have a clue how long a single factor authentication prompt was exposed to the Internet. A single factor that once breached can trivially enable SSH and give an attacker unfettered and direct access to everything your Untangle can see!

    I'm glad your PCI scan found this then, because this mess is catastrophic enough without leaving doors open. Those access rules are a critical area that needs to be left alone as much as possible.

    To that end I made an Untangle v16.2 VM to get a screen grab of what its defaults are so you can compare, there might be more surprises in that configuration page. I cannot emphasize enough how critical it is that page is to be understood as it's the firewall configuration that defends Untangle itself. The defaults work universally, but if anyone got in there mucked with things you're left in a very horrifying state. It all needs a solid going through.

    Last edited by sky-knight; 01-29-2021 at 01:21 PM.
    jcoehoorn and davidelliott like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2