FreeBSD: VID-31A7FFB1-A80A-11EB-B159-F8B156C2BFE9: sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.
Description
Earlier versions of Sympa require a parameter named cookie in sympa.conf
configuration file.
This parameter was used to make some identifiers generated by the system
unpredictable. For example, it was used as following:
To be used as a salt to encrypt passwords stored in the database by
the RC4 symmetric key algorithm.
Note that RC4 is no longer considered secure enough and is not supported
in the current version of Sympa.
To prevent attackers from sending crafted messages to achieve XSS and
so on in message archives.
There were the following problems with the use of this parameter.
This parameter, for its purpose, should be different for each
installation, and once set, it cannot be changed. As a result, some sites
have been operating without setting this parameter. This completely
invalidates the security measures described above.
Even if this parameter is properly set, it may be considered not being
strong enough against brute force attacks.
Solution(s)
- freebsd-upgrade-package-sympa
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center