We recently had a security audit that included a test of our SystemLink server. It turns out that the Apache server that is outdated (version 2.4.29) and has multiple security issues. I upgraded SystemLink to 2020 R3, but Apache was not upgraded. I am not sure how to rate those vulnerabilities or in what way the NI Webserver is different from Apache.
Additionally, the RabbitMQ/Cowboy server at port 5673 and 15672 was reported to allow weak encryption using TLS 1.0 and TLS 1.1 with weak ciphers. Since this is not an issue for Apache I was wondering if this is an issue in the configuration of the server?
Is there some action I can take to mitigate these vulnerabilities? Are those services used in a way that an exploit is unlikely?
Solved! Go to Solution.
Thank you for escalating this concern.
Per the web server: We've identified a breakdown in our process that has prevented us from upgrading our web server more frequently. We have resolved this and I expect we'll ship an updated version of Apache httpd in our R4 release.
Per RabbitMQ: We've unforunately had to hold off upgrading this component due to legacy Windows 7 support. When we upgraded the version of RabbitMQ and TLS during development, SystemLink would crash on Windows 7 machines. Luckily our support for Windows 7 expires in 2021 and we intend on shipping an updated version of RabbitMQ in our first 2021 release.
Per mitigating concerns regarding the TLS version used by RabbitMQ, its best to make changes such that you no longer depend on AMQP. I would encourage you to move all your clients from AMQP to HTTP (I provided some rational in another thread) and disable the Enable AMQP Client Access flag in NI SystemLink Server Configuration > NI SystemLink Service Manager > Security.
We are still seeing a TLS 1.0 vulnerability after installing R4 and disabling AMQP. Is the only other option to wait for the RabbitMQ upgrade?
Thank you for escalating this concern. You are correct that version of RabbitMQ/Erlang shipping with SystemLink 2020R4 only supports TLS 1.0. We were prevented from upgrading this component sooner due to a cross-company requirement to support Windows 7 through 2020. Versions of RabbitMQ that support TLS 1.2 and 1.3 did not support Windows 7. Now that it is 2021 we are no longer constrained by this requirements, and we are upgrading to the latest version of RabbitMQ and Erlang to support TLS 1.2 and 1.3. This support will be delivered in our 2021R1 release expected this Spring.
With help from the development team we were able to verify that our current version of RabbitMQ can and does use TLS 1.2. Additionally we can adjust the configuration to disable older versions of TLS. This is likely why TLS 1.1 is showing up in your audit.