Vulnerability Solutions
Proactively address known security vulnerabilities to harden your system, protect data, and ensure operational integrity.
A VAPT (Vulnerability Assessment and Penetration Testing) solution document outlines the process of identifying and addressing security vulnerabilities in your IT infrastructure. It covers vulnerability assessments, which detect weaknesses, and penetration testing, which simulates cyberattacks to exploit them. This document helps improve security by proactively identifying risks and ensuring compliance with security standards.
This document details the resolutions for various identified vulnerabilities.
- The solutions provided apply to Ubuntu OS v22.04.
- Please use the ROOT user to execute the commands.
VAPT List
SHA1 Deprecated Setting in SSH
The use of SHA1-based Message Authentication Codes (MACs) in SSH is insecure due to known cryptographic weaknesses. Continued use can lead to downgrade or collision attacks.
- Affected System: OpenSSH Server
- Risk Level: High
Solution:
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Update MACs to exclude SHA1 by adding or modifying the
MACsline:MACs hmac-sha2-512,hmac-sha2-256If applicable, remove SHA1 from any include lines. For example:
include "Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512 KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384"Restart the SSH service:
sudo systemctl restart ssh
OpenSSL < 3.0.7 Buffer Overflow
Older versions of OpenSSL are vulnerable to buffer overflow exploits that may lead to remote code execution or denial-of-service attacks.
- Affected System: OpenSSL versions < 3.0.7 on Ubuntu 24.04
- Risk Level: Critical
Solution:
Download and install the latest OpenSSL
.debfile (e.g.,openssl_3.0.16-1~deb12u1_amd64.deb):sudo dpkg -i openssl_3.0.16-1~deb12u1_amd64.debVerify the installation:
openssl versionExpected Output:
OpenSSL 3.0.16 xx XXX xxxx
Verification and Validation:
- Ensure SSH connections function as expected post-change.
- Run a vulnerability scan to confirm the removal of the SHA1 usage and buffer overflow vulnerability.
- Log the verification results in your change management records.
Privilege Escalation (IDX-002)
Attackers exploit weaknesses in a system or application to bypass user restrictions, leading to:
- Horizontal Privilege Escalation – Gaining access to another user's data or actions.
- Vertical Privilege Escalation – Obtaining higher-level permissions, such as administrator rights.
Solution:
This is an application-level vulnerability that has been addressed in the product code. A new REST API was created and mapped to internal APIs to enforce field-level visibility from the UI, preventing unauthorized data access. No administrator action is required.
EXIF Geolocation Data Not Stripped (IDX-007)
When a user uploads an image, sensitive metadata is not removed, allowing attackers to access:
- Geolocation Data – Revealing the user's exact location.
- Device Information – Including device name, version, software, and software version used.
Solution:
This is an application-level vulnerability that has been addressed in the product code. Images are now sanitized upon upload to strip sensitive EXIF metadata. No administrator action is required.
Username Enumeration (IDX-009)
The application displays different error messages for incorrect usernames and passwords, attackers to:
- Identify valid usernames.
- Use this information for further attacks (e.g., brute force attempts).
Solution:
This is an application-level vulnerability that has been addressed in the product code. A common, generic error response is now used for both invalid usernames and passwords in the login and forgot password flows to prevent enumeration. No administrator action is required.
Frontend Restriction Bypassed (IDX-008)
Attackers can manipulate client-side security controls such as:
- Disabling JavaScript validation to bypass input checks.
- Altering input limits to exceed intended values.
- Modifying hidden fields using browser developer tools or scripts.
Solution:
This is an application-level vulnerability that has been addressed in the product code. Strict server-side validation has been implemented for all user inputs to ensure that frontend restrictions cannot be bypassed. No administrator action is required.
JDK Vulnerability
The existing JDK version contains multiple security vulnerabilities.
Solution:
The JDK was upgraded from 17.0.12 to 17.0.14 to address security issues. It is recommended to always use the latest stable version of the JDK.
Exploitable HTTP Methods ("PUT")
Allowing unused HTTP methods increases security risks:
- Attack Surface Expansion: If methods like PUT, DELETE, or PATCH are enabled, attackers can modify, delete, or overwrite data.
- Exploitation Risk: Even if the application does not actively use these methods, they can still be targeted for attacks.
Solution:
The PUT method was removed from API calls to prevent unauthorized modifications. Review and disable all unnecessary HTTP methods.
PostgreSQL Vulnerability
A zero-day vulnerability in PostgreSQL exposes the system to potential threats.
Solution:
Upgraded PostgreSQL from versions 11 and 16.1 to 16.8 to patch security vulnerabilities.
Elastic Search Vulnerability
A zero-day vulnerability in Elastic Search poses security risks.
Solution:
Updated Elastic Search from v7.3.2 to v8.17.2 to ensure security compliance.
Lib Curl Vulnerability
Solution:
To resolve this vulnerability, upgrade lib curl to version 8.4 or later.
1. Download and extract the `curl_VAPT` zip file containing the required packages.
2. Log in to the terminal server.
3. Navigate to the extracted folder and install the `.deb` packages:
`dpkg -i *.deb`
4. Once dependencies are installed, update the curl package by extracting and installing from the source tar file.
5. Navigate to the curl source folder as shown below.
6. Run the following commands:
```
./configure --without-ssl
make
make install
ldconfig
```
7. Verify the new version:
`curl --version`
SSH Terrapin Prefix Truncation Weakness
Solution:
Add the following line to the
/etc/ssh/sshd_configfile:Ciphers -chacha20-poly1305@openssh.comSave the file by pressing the Esc key, typing ":wq!", and pressing Enter.
Check the status of sshd using the command:
systemctl status sshdRestart the SSH service and verify its status:
systemctl restart sshd
systemctl status sshd
OpenSSL 1.0.1 is less than 1.0.1u Multiple Vulnerabilities
Solution:
Download the provided openssl_302_u22.zip file containing the updated packages.
Execute and install the dpkg packages:
cd openssl/
dpkg -i openssl_3.0.2-0ubuntu1.18_amd64.deb
APACHE Log4j RCE Vulnerability
A Remote Code Execution (RCE) vulnerability exists in Apache Log4j versions < 2.3.2, < 2.12.4, and < 2.17.1.
Solution:
Before performing the steps below, ensure the file paths are correct for your environment.
Download the ElasticSearchlog4jVAPT.zip file containing updated Log4j libraries.
Replace the two files and assign ownership to them.
Check the elastic search service status and stop it using the below commands:
systemctl status elasticsearch
systemctl stop elasticsearchNavigate to the Elasticsearch library directory using the below command:
/usr/share/elasticsearch-7.3.2/libRemove the older Log4j library files:
rm log4j-core-2.11.1.jar
rm log4j-api-2.11.1.jarReplace the new updated log4j library file to /usr/share/elasticsearch-7.3.2/lib/ using the below commands:
cp log4j-core-2.17.2.jar /usr/share/elasticsearch-7.3.2/lib/
cp log4j-api-2.17.2.jar /usr/share/elasticsearch-7.3.2/lib/Assign the fmtuser and fmtusergroup permissions to the Elasticsearch directory:
cd /usr/share/
chown -R fmtuser:fmtusergroup /usr/share/elasticsearch-7.3.2/Check the elastic search service status and start it using the below commands:
systemctl status elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch
OpenSSH Upgrade to 9.6
Solution:
To resolve the vulnerability, follow the below steps:
- Take a VM snapshot before implementing this solution.
- Back up your database and fileDB to a separate location.
- The attached ZIP file includes two fully functional methods for the OpenSSH solution.
Download and extract the OpenSSH_VAPT.zip file.
Install the dependency packages:
cd OpenSSH_VAPT/OpensshPack/DepPack
dpkg -i *.debExtract the OpenSSH source tar file using the below command:
tar -xzvf openssh-9.6p1.tar.gzNavigate to the extracted folder
cd openssh-9.6p1Verify the current SSH version:
ssh –VCompile and install the new version:
./configure
make
sudo make install
source /etc/environmentVerify the new SSH version:
ssh -V
Ubuntu OS Upgrade
For vulnerabilities tied to the operating system version, a full OS upgrade is often the most comprehensive solution. For detailed instructions, refer to the Steps to Upgrade Ubuntu Version guide.