Check security of GSE integrations


#1

If you decide to build your own GSE-based setup of GVM or you decide to use a “3rd-party integration” or a “uncoordinated integration”, we strongly recommend to audit some security aspects of it.

We noticed and get noticed about several offering of such integrations where some fundamental security basics are not correctly implemented out of the box, for example default passwords for internet reachable services or the use of weak SSL/TLS ciphers.

The easiest way to audit the GVM setup is to scan it with GVM. It will identify several of the standard mistakes. Make sure you catch the service ports as some integrations use uncommon ports. You should check this with netstat or similar commands to catch all used ports of your installation to be sure your port list is complete.

If you can’t fix the security violations yourself, please consider the Greenbone Community Edition (GCE)
or a commercial product of the Greenbone Security Manager (GSM) appliance family.

It makes absolutely no sense to file a CVE or other alerts about an insecure integration of the Greenbone Source Edition.

The source edition does not create default passwords and it does not ship static SSL/TLS certificates or weak ciphers. If you want to complain about it, please contact the creators of the integration. Do not blame GVM or Greenbone for it - our solutions and products implement all security best practices.


#2

Just to clarify the meaning of “3rd-party integration” and a “uncoordinated integration” here.

Greenbone only provides GSM hardware and the GCE (Greenbone Comunity Edition). All other GVM/OpenVAS installations - e.g. provided from a linux distribution or docker image - are not developed nor coordinated with Greenbone. Therefore all these installations are meant by “3rd-party integration” and a “uncoordinated integration”

Quote:

The source edition is adopted by some third parties. We call the open and non-commercial ones “3rd-party integrations”. We call the solution-oriented and commercial ones “uncoordinated integrations” because there is no explicit contractual arrangement and especially no service level agreement with Greenbone.

from