How to remediate – OSSIM SOAP Service Detection

1. Introduction

The OSSIM SOAP Service Detection vulnerability means a web service used by the Open Source Security Information Management suite has been found on a system. OSSIM is a collection of tools for network security monitoring. This matters because the SOAP service could allow remote access to the underlying system, potentially exposing it to attack. A successful exploit may compromise confidentiality, integrity and availability.

2. Technical Explanation

The ‘av-centerd’ web service uses Simple Object Access Protocol (SOAP) for communication. This service is part of OSSIM and allows management tasks to be performed remotely. The vulnerability lies in the exposure of this service without adequate security controls. An attacker could attempt to exploit weaknesses within the SOAP interface.

• Root cause: The SOAP web service is exposed, potentially allowing unauthenticated or improperly authenticated access.
• Exploit mechanism: An attacker would send crafted SOAP requests to the ‘av-centerd’ endpoint to gain control of the OSSIM system.
• Scope: Systems running OSSIM are affected. Specific versions were not provided in the context.

3. Detection and Assessment

You can check for the service’s presence using network scanning tools or by directly querying the system. A thorough method involves examining running processes and listening ports.

• Quick checks: Use netstat -tulnp to list listening ports and identify ‘av-centerd’ if present.
• Scanning: Nessus ID 772feb7d can detect this service. This is an example only; other scanners may also provide detection.
• Logs and evidence: Check system logs for entries related to the ‘av-centerd’ process or SOAP traffic on relevant ports.

netstat -tulnp | grep av-centerd

4. Solution / Remediation Steps

The best solution is to disable or secure the OSSIM SOAP service if it isn’t needed. If required, ensure strong authentication and access controls are in place.

4.1 Preparation

• Changes should be made during a maintenance window with appropriate approval.

4.2 Implementation

1. Step 1: Stop the OSSIM service using systemctl stop ossim.
2. Step 2: Disable the SOAP service if it is not required using configuration tools specific to your OSSIM installation. This may involve editing a config file or running a command-line utility.
3. Step 3: If the service must remain enabled, configure strong authentication and restrict access to trusted networks only.
4. Step 4: Restart the OSSIM service using systemctl start ossim.

4.3 Config or Code Example

Before

#Example config file entry - SOAP service enabled
enabled = true

After

#Example config file entry - SOAP service disabled
enabled = false

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege to limit the impact if the service is compromised.
• Practice 2: Network segmentation to restrict access to the service from untrusted networks.

4.5 Automation (Optional)

#Example Ansible task to disable SOAP service - adjust path as needed
- name: Disable OSSIM SOAP Service
  lineinfile:
    path: /etc/ossim/config_file
    regexp: '^enabled = true$'
    line: 'enabled = false'
  notify: Restart OSSIM

5. Verification / Validation

Confirm the service is no longer listening on its port or that access is restricted as configured. Test key functionality to ensure changes haven’t broken anything.

• Post-fix check: Run netstat -tulnp | grep av-centerd and confirm no process is listening on the SOAP port.
• Re-test: Re-run Nessus ID 772feb7d to verify the vulnerability is no longer detected.
• Smoke test: Verify that other OSSIM functions, such as alert processing, are still working correctly.
• Monitoring: Monitor system logs for any errors related to the SOAP service or authentication failures.

netstat -tulnp | grep av-centerd

6. Preventive Measures and Monitoring

Update security baselines to include disabling unnecessary services. Implement regular vulnerability scanning during deployment.

• Baselines: Update your system baseline or CIS control settings to disallow the running of unneeded services like SOAP.
• Asset and patch process: Review configurations regularly to ensure unnecessary services remain disabled.

7. Risks, Side Effects, and Roll Back

Disabling the SOAP service may affect functionality that relies on it. Restoring from a snapshot is the quickest roll back.

• Risk or side effect 1: Disabling the service could break remote management features.
• Risk or side effect 2: Incorrect configuration changes might prevent OSSIM from starting.
• Roll back:
  1. Step 2: Verify that the OSSIM service is running and functioning correctly.

8. References and Resources

• Vendor advisory or bulletin: http://www.nessus.org/u?772feb7d