09-17-2020 03:01 PM
We recently had a security audit that included a test of our SystemLink server. It turns out that the Apache server that is outdated (version 2.4.29) and has multiple security issues. I upgraded SystemLink to 2020 R3, but Apache was not upgraded. I am not sure how to rate those vulnerabilities or in what way the NI Webserver is different from Apache.
Additionally, the RabbitMQ/Cowboy server at port 5673 and 15672 was reported to allow weak encryption using TLS 1.0 and TLS 1.1 with weak ciphers. Since this is not an issue for Apache I was wondering if this is an issue in the configuration of the server?
Is there some action I can take to mitigate these vulnerabilities? Are those services used in a way that an exploit is unlikely?
Solved! Go to Solution.
09-22-2020 08:35 AM
Hi cordm,
Thank you for escalating this concern.
Per the web server: We've identified a breakdown in our process that has prevented us from upgrading our web server more frequently. We have resolved this and I expect we'll ship an updated version of Apache httpd in our R4 release.
Per RabbitMQ: We've unforunately had to hold off upgrading this component due to legacy Windows 7 support. When we upgraded the version of RabbitMQ and TLS during development, SystemLink would crash on Windows 7 machines. Luckily our support for Windows 7 expires in 2021 and we intend on shipping an updated version of RabbitMQ in our first 2021 release.
Per mitigating concerns regarding the TLS version used by RabbitMQ, its best to make changes such that you no longer depend on AMQP. I would encourage you to move all your clients from AMQP to HTTP (I provided some rational in another thread) and disable the Enable AMQP Client Access flag in NI SystemLink Server Configuration > NI SystemLink Service Manager > Security.
01-11-2021 04:04 AM
Thanks! SystemLink 2020 R4 was released in December and ships with apache 2.4.46.
01-27-2021 03:22 PM
Hello Mark;
We are still seeing a TLS 1.0 vulnerability after installing R4 and disabling AMQP. Is the only other option to wait for the RabbitMQ upgrade?
Thanks
Gordon
01-28-2021 11:57 AM
Hi Gordon,
Thank you for escalating this concern. You are correct that version of RabbitMQ/Erlang shipping with SystemLink 2020R4 only supports TLS 1.0. We were prevented from upgrading this component sooner due to a cross-company requirement to support Windows 7 through 2020. Versions of RabbitMQ that support TLS 1.2 and 1.3 did not support Windows 7. Now that it is 2021 we are no longer constrained by this requirements, and we are upgrading to the latest version of RabbitMQ and Erlang to support TLS 1.2 and 1.3. This support will be delivered in our 2021R1 release expected this Spring.
Cheers,
Mark
01-28-2021 02:19 PM
Thank you. We will install 2021 R1 as soon as it is available.
Gordon
02-10-2021 08:29 AM
Hi Gordon,
With help from the development team we were able to verify that our current version of RabbitMQ can and does use TLS 1.2. Additionally we can adjust the configuration to disable older versions of TLS. This is likely why TLS 1.1 is showing up in your audit.