Thales/nCipher HSM-driver in Web Gateway listens on 0.0.0.0:9004 by default

Technical Articles ID: KB91638
Last Modified: 2022-05-27 07:14:56 Etc/GMT

Environment

Web Gateway (WG) 7.x, 8.x
Web Gateway Hardware Appliance with Thales nfast card (HSM card)

Problem

WG provides drivers for the Thales HSM hardware. When you enable the Thales Hardware HSM feature or the nfast.service, the MLOS package's nfast service accepts connections on TCP-port 9004 for all interfaces.

NOTE: Connections on the TCP-port 9004 are accepted only if you use the default configuration.

According to nCipher/Thales support, if TCP-port 9004 is accessible on proxy-traffic or internet-facing interfaces, a potential DoS attack or other vulnerabilities can be exploited.

The TCP-port 9004 needs to be open if you use the following:

RFS—Remote File System = shared Security World = encrypted private keys
Remote administration or other remote Thales features like nShield Connect.

NOTE: These features require an extra shell-based configuration or setup.

You don't need to open the port if you perform the following:

Configure the Thales driver without RFS on each host
Don't use the Thales tools for remote administration

Affected versions:
The following WG packages include the nfast drivers:

7.6.2.x
7.7.2.x (up to 7.7.2.21)
7.8.2.x (up to 7.8.2.11)
8.1.x (up to 8.1.3)

Cause

The default configuration for nfast.service is insecure. It opens port 9004 on all interfaces when HSM is enabled and the Thales/nChipher hardware is installed.

But, you're only at risk of attacks if a firewall doesn't block access to IPv4 TCP-port 9004. WG's fixed packages close port 9004 by default. If you need the post open, customize the HSM-configuration as stated in the "Workaround" field.

Solution

The following versions provide a default configuration with TCP port 9004 disabled and restricted to interface loopback (127.0.0.1):

7.7.2.22
7.8.2.11
8.1.4 (and newer releases).

We recommend that you upgrade WG as a priority.

After the upgrade, verify that port 9004 is closed. Or, you can configure it to be open on trusted interfaces only (non-client or internet-facing ports). These configuration options are documented in the "Workaround" field of this article.

NOTE: Changes to the /opt/nfast/kmdata/config/config are retained.

Workaround

To configure the Thales/nCipher nfast driver to listen on TCP port 9004 on a select, trusted interface, perform the steps below:

Open /opt/nfast/kmdata/config/config in a text editor of your choice.

NOTE:
- Comments on a configure line aren't supported and stop the service from starting.
- This example assumes a management host address of 10.1.1.1.
Locate the entry:
[server_remotecomms]
Enable and configure the port:
1. Scroll down to impath_port=0
2. Replace the 0 with the custom remote port:
  For example: impath_port=9004
Configure the available options as needed:
- Scroll to impath_interface=lo and configure the presented options as needed.
  Replace lo (for loopback) with eth0 to enable the TCP port on all IPv4 IP addresses assigned to eth0.
  For example: impath_interface=eth0
- Scroll to # impath_address=ADDRESS and configure the presented options as needed.
  1. Remove the # character to enable this option.
  2. Replace ADDRESS with a management IP address.
    For example: impath_address=10.1.1.1
    
    NOTE:
    - Set this IP address to one that's accessible by administrators or other appliances, but not used for proxy-traffic.
    - Configure extra security measures as needed (for example, firewall rules).
    - The impath_address configuration overrides the impath_interface setting.
- To disable port 9004, revert the value to 0 (Zero).
  1. Scroll to # impath_port=PORT.
  2. Remove the # character and replace PORT with 0.
    For example: impath_port=0

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Thales/nCipher HSM-driver in Web Gateway listens on 0.0.0.0:9004 by default

Environment

Problem

Cause

Solution

Workaround

Affected Products

Languages:

Title

Title

Knowledge Center

Thales/nCipher HSM-driver in Web Gateway listens on 0.0.0.0:9004 by default

Environment

Problem

Cause

Solution

Workaround

Affected Products

Languages:

Choose your region

Title

Title