A
Burp Suite scan was run against ePO, which resulted in the issues below:
- Cacheable SSL Page found
Most web browsers are configured by default to cache the user's pages during use. This action caches SSL pages as well. We do not recommend that you enable the web browser to save any SSL information. This information might be compromised when a vulnerability exists.
- Overly Permissive CORS Access Policy
Cross-Origin Resource Sharing (CORS) is a mechanism that allows websites to request resources from external sites. This action avoids the need to duplicate them. When granting access to external sites, they might also perform several actions on the granting site, and run scripts on them. So, it is important not to grant access to any site, but only to trusted sites.
- SHA-1 cipher suites were detected
The server supports SHA-1 cipher suites. NIST officially deprecated SHA-1 in 2011, but many applications still rely on it.
- Unsafe third-party link (target="_blank")
The target="_blank" attribute is added to link elements to make the link open in a new window. Link tags of this kind (for example, with target="_blank" attribute) expose parts of the window object of the original page to the linked page through the window.opener object. This information can be exploited for phishing attacks if the linked page is malicious.
- Database connection string disclosed:
A database connection string specifies information about a data source and the means of connecting to it. In web applications, connection strings are used by the application tier to connect to the back database used for storing application data. They are read from server-side configuration files or hard-coded into application source code.
Research and Conclusions
The ePO engineering team has reviewed these findings and determined the following:
- Cacheable SSL Page found
This report is a False Positive. ePO does set the following headers today to disable caching for almost all ePO pages. The static JS files that do not contain any sensitive data would not have these headers set by design to improve performance.
- Overly Permissive CORS Access Policy
This report is a False Positive. ePO does not set any CORS headers today to allow access for any other domains. If no headers are set, it is secure by default. For example, browsers would not allow any other domain websites to access resources from ePO.
- SHA-1 cipher suites were detected
We confirm that ePO does enable some SHA-1 cipher suites. This action is different from the signing algorithm used in ePO certificates. In ePO certificates, we do not support SHA-1. ePO relies on the underlying FIPS certified crypto providers to choose the stronger cipher suites during TLS connections. We had to retain some of the old, but still secure, ciphers that FIPS mode allows to support all possible ePO upgrades for our customers. We evaluate our cipher suite list during every new ePO release and make enhancements accordingly without breaking any existing customers. SHA-1 cipher suites would be disabled in the future ePO releases.
- Unsafe third-party link (target="_blank")
ePO does not link any user-provided or untrusted target in this way, so we do not consider this report to be an issue. All external links that ePO adds are all by default trusted domains (Example: *.trellix.com).
- Database connection string disclosed
We have reviewed this finding, and there is no information leak regarding the database. An authenticated ePO user on the console could view information such as user name, if the user has the right permissions for that corresponding ePO function.