How to remediate – Advanced Message Queuing Protocol Detection STARTTLS Support

Contents

1. Introduction

2. Technical Explanation

Root cause: The service allows cleartext communication and supports STARTTLS negotiation without enforcing immediate encryption.
Scope: Affected platforms are those running AMQP services, such as RabbitMQ or Apache ActiveMQ, that support the STARTTLS command.

3. Detection and Assessment

To confirm if a system is vulnerable, you can check for the presence of the STARTTLS capability in the service configuration or by attempting to initiate a STARTTLS negotiation with a client.

Quick checks: Use telnet to connect to the AMQP port (typically 5672) and send the command ‘STARTTLS’. A successful response indicates support for STARTTLS.
Scanning: Nessus vulnerability ID 3d2ae6f6 can be used as an example scanner detection method.
Logs and evidence: Check AMQP service logs for messages related to TLS negotiation or STARTTLS commands.

telnet  5672
Try typing 'STARTTLS' after connecting. A response indicates support.

4. Solution / Remediation Steps

The best solution is to configure the AMQP service to require TLS encryption for all connections, disabling cleartext communication altogether.

4.1 Preparation

Ensure you have access credentials and understand the impact of stopping the service on dependent applications. A roll back plan involves restoring the original configuration file.
A change window may be required depending on the criticality of the AMQP service. Approval from system owners might be needed.

4.2 Implementation

Step 1: Edit the AMQP service configuration file (e.g., rabbitmq.conf for RabbitMQ) to disable cleartext communication and enforce TLS encryption.
Step 2: Restart the AMQP service to apply the changes.

4.3 Config or Code Example

Before

# RabbitMQ example (rabbitmq.conf) - allowing cleartext connections
listeners.tcp.default_port = 5672

After

# RabbitMQ example (rabbitmq.conf) - enforcing TLS encryption
listeners.tcp.ssl_options.enabled = true
listeners.tcp.ssl_options.certfile = /path/to/your/certificate.pem
listeners.tcp.ssl_options.keyfile = /path/to/your/private_key.pem
listeners.tcp.default_port = 5671 # Use a separate port for TLS connections

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of vulnerability. Least privilege reduces the impact if an attacker gains access. Input validation can block malicious data. Secure defaults ensure services are configured securely out-of-the-box. A regular patch cadence keeps software up-to-date with security fixes.

Practice 1: Enforce TLS encryption for all sensitive communications to protect data in transit.
Practice 2: Implement least privilege principles to limit the impact of potential compromises.

4.5 Automation (Optional)

If using configuration management tools, you can automate the process of updating the AMQP service configuration file and restarting the service.

# Example Ansible task
- name: Configure RabbitMQ to enforce TLS encryption
  copy:
    src: rabbitmq.conf
    dest: /etc/rabbitmq/rabbitmq.conf
  notify: Restart RabbitMQ

5. Verification / Validation

Post-fix check: Use telnet to connect to the configured TLS port (e.g., 5671 for RabbitMQ). Attempting to send ‘STARTTLS’ should fail.
Re-test: Re-run the initial telnet test from the Detection and Assessment section. It should no longer show support for STARTTLS on the original port.
Smoke test: Verify that client applications can still connect to the AMQP service using TLS encryption.
Monitoring: Monitor AMQP service logs for any errors related to TLS negotiation or connection failures.

telnet  5671
Attempting 'STARTTLS' should result in an error.

6. Preventive Measures and Monitoring

Update security baselines to include requirements for TLS encryption on all sensitive services. Add checks in CI/CD pipelines to ensure that AMQP service configurations are secure. Implement a regular patch or configuration review cycle to identify and address potential vulnerabilities.

Baselines: Update your security baseline to require TLS encryption for all AMQP connections.
Pipelines: Include static analysis checks in CI/CD pipelines to validate AMQP configuration files.
Asset and patch process: Review AMQP service configurations regularly as part of a vulnerability management program.

7. Risks, Side Effects, and Roll Back

A potential risk is that client applications may need to be updated to support TLS encryption. Service interruption could occur if the configuration is incorrect or if there are issues with TLS certificate validation. To roll back, restore the original AMQP service configuration file and restart the service.

Risk or side effect 1: Client application compatibility issues requiring updates.
Risk or side effect 2: Service interruption due to misconfiguration of TLS settings.
Roll back:
1. Step 1: Restore the original AMQP service configuration file.
2. Step 2: Restart the AMQP service.

8. References and Resources

Vendor advisory or bulletin: RabbitMQ Security Advisories
NVD or CVE entry: No specific CVE is associated with this detection.
Product or platform documentation relevant to the fix: RabbitMQ TLS Configuration

Updated on October 26, 2025

Was this article helpful?

Yes No