Dear All,
As we are using Moodle integration with our internal site.
The site is scanned by security team for security riscks by IBM AppScan and found following these issues
1.) Factoring RSA Export Keys (a.k.a. FREAK
2.) Weak SSL Cipher Suites are Supported
As I have tried to search on this but unable to find exact reason.
Can you please tell me is Moodle behind the F5 BigIP?
Thanks & regards
SSL cipher suites are not a Moodle issue--they are a web server issue, and you don't give us any information about your web server. So I will guess based on my own experience.
Perhaps you are running Windows Server 2008R2. Schannel.dll which handles all the SSL/TLS support does not support strong ciphers without other vulnerabilities being exposed. So you get your choice of strong ciphers or RC4 with other vulnerabilities. The best you can to do limit exposure is to run everything through a reverse proxy on a different OS on the same physical network. This limits your exposure to having physical access to your network since the https will then use strong ciphers on the other side of the reverse proxy.
If that's not the issue, then you simply need to tune your web server to use stronger ciphers. You can test them here: https://www.ssllabs.com/ssltest/. Google searches on how to strengthen your SSL should give you the information you need after that.
Dear Miller,
Thanks for your reply. I have some more security issues. Can you please answers on those issue?
Please let me how you would like to take these questions - I mean each question in seperate post of in single post?
Just for your information I have the following these issues
1.) Factoring RSA Export Keys
2.) Inadequate Account Lockout
3.) Missing Secure Attribute in Encrypted Session (SSL) Cookie
4.) Session Identifier Not Updated
5.) MongoDB NoSQL Injection
Please reply me if possible for you
Thanks a lot
Vinod Kumar
You will need proper descriptions to get any useful help on those questions. For example the idea of MongoDB NoSQL injection is unclear. Moodle does not use MongoDB as its main database, is it being used for caching?, the term SQL injection means (unsurprisingly) to inject SQL wheras MongoDB is known as a NoSQL database, i.e. not requiring SQL.
Security issues can be very subtle and complex so you need a full and complete description of a setup and any potential security issues to find out anything useful.
Update: The miracle of Wikipedia has just told me that No SQL means Not Only SQL, but my point is still relevent
It's not clear to me that this has anything to do with Moodle. We like to help but please let's try to keep this on topic.
OK. I will do my best, but as this is a Moodle forum, I will limit my comments to that. Also, Moodle 1.9.5 is VERY OLD and contains known security issues. If you are really trying to be secure, you need to upgrade and keep upgraded to the latest Moodle version, or at least the prior major version. So Moodle 2.8.5+ is your minimum for a secure Moodle at this point.
1.) Factoring RSA Export Keys - Has nothing to do with Moodle as Moodle is not the web server and does not deal with the https protocol at all.
2.) Inadequate Account Lockout - Settings can be adjusted in Site Administration > Security > Site Policiies (at least in 2.8.5+)
3.) Missing Secure Attribute in Encrypted Session (SSL) Cookie - Make your whole site SSL if you want the cookies to be SSL.
4.) Session Identifier Not Updated - And what difference does that make if the session identifier is complex enough?
5.) MongoDB NoSQL Injection - How does this relate to Moodle at all? If MongoDB is out of date, then upgrade it to be more secure.
Dear Miller,
Thanks a lot for your reply
I have mentioned your solution in my security team. They are very happy to your solution and asked one questions in related to
Session Identifier Not Updated
They have concern as below given.
Session identifier not updating : this has again... nothing to do with session identifier complexity.... Irrelevant! :
DEMO -- as follows
When we do first login :
Value of MoodleSession Identifier = 100oekkrtfcud38jb82u1mfs23
Then, I logout and Login again :
After that, once log in again, I check again the session ID, I should have a New session ID
that it's not the case :
As you can see below, the Moodle session Identifier is the same, so, it has not been updated (and we are not speaking about complexity of it....), means too that the user's session has not been
killed after the logout..
What is the risk ?
The risk is that the session can be reused by an hacker after the victim logout out of the
application. And the hacker does not need to know the victim credential.
The support could reply that as the MoodleSession cookie is secure, it's impossible to get it through the network because it's not transmit out of SSL/TLS connexion.
Can you please check this issue as per my understanding its because of Moodle old version 1.9.5 ?
Thanks
Vinod Kumar
The Moodle 1.9 series is well out of support. If you find a security issue the best advice is to upgrade to a version that is in support.
Dear Marcus, All,
Thanks a lot reply me back
I agree your last point and planning to upgrade my old version with latest version of Moodle.
As I mentioned you earlier that I am completely new to Moodle Integration.
Can you please reply the following queries?
1.) How to upgrade Moodle and is there any process of payment to upgrade latest version of Moodle?
1.) Please mentions list of any regression, issues, problems can be happen after upgrading to new version of Moodle so that before starting to upgrade I will be prepare to solve those issues?
I really appreciate to all of you and thank you to help/support us.
Thanks
Vinod Kumar
1. upgrade to Moodle 1.9.19
2. upgrade to Moodle 2.2 - https://docs.moodle.org/22/en/Upgrading_to_Moodle_2.2
3. upgrade to Moodle 2.8 - https://docs.moodle.org/28/en/Upgrading
OR (and I'm serious)
Don't upgrade and just create a new 2.8 site and rebuild your courses from scratch. There's a lot of differences between 1.9 and 2.8 and it might be easier.
If you want any more detail, you'll need to do some reading for yourself. The release notes are a good place to start...
I agree with Howard that re-creating courses from scratch can be a good option. It may seem rather painful, but it is frequently the best route. Check if you have any 3rd party plugins or custom code. I have found that to be the time consuming step of preparing an upgrade. I was not certain what you meant about money, but there are many consultants around the world who specialise in Moodle and a global network of approved developers called Moodle Partners.
Upgrading from 1.9 can be painful due to the file storage changes and the plugin/theme changes, but if you want to try:
https://moodle.org/mod/forum/discuss.php?d=312810
Dear All,
Thanks a lot for your reply
I have very serious concern from top management that is this upgrade from 1.9.5 to 2.8 will resolve the issue of "Session Identifier Not Updated" or not? I will be in problem if it will not resolve this issue after so much effect and time given to upgrade from old version to latest version. I hope you all will understand my situation.
I kindly request you to all of you to focus on my security issue "Session Identifier Not Updated" that Is the upgrade to latest version 2.8 will resolve this security issue?
Please reply me to keep in mind that this issue should be resolve after upgrade to latest version.
Vinod Kumar
Dear All,
No I have not upgraded to latest version 2.8. I just want to know If I upgrade my old version 1.9.5 to latest version 2.8 then Is this upgrade will remove or fix this issue or not?
If it really fix this issue I will go ahead for upgrading the latest version 2.8.
Thanks for reply me back.
Vinod Kumar
Moving all this to the security forum.
BTW... this is what happens when you run one of these scanner applications against anything you care to name. Are you *sure* you understand the problem it is reporting and that it has an actual or potential impact on your organisation? Security alerts aren't absolutes - they often apply to certain environments that may not apply to you.
My only other thought - there will have been an impressive list of security issues fixed in Moodle in the years between the release of version 1.9.5 and the release of 2.8. If your primary issue is security then the upgrade should be, as they say, a no-brainer
Dear Miller,
This issue "Session Identifier Not Updated" is raised by Security team only of my organization. As your support team mentioned that upgrade from 1.9.5 to 2.8 may be the solution. So I told this to my security team. Now they are asking me to upgrade. But before upgrade to 2.8 I want to make sure that this issue will resolved after upgrade.
Because from long period of time using 1.9.5, We have done so many changes in existing website. Hence it will impact and too much rework will be required if I upgrade to latest version.
Thanks to just clarify me that Upgrade is the only solution or there is another solution can be done in my 1.9.5 version without upgrade.
I really appreciate to reply me back.
Regardless of the result, giving the pressure they are putting on you regarding security issues you really should seriously look at upgrading anyway. Again, as Visvanath and Howard have already stated, you are currently getting no security updates from Moodle and therefore potentially at even more risk.
The fact you seem to be "stuck" on 1.9+ due to local modifications is also a lesson to be learnt ... unless you have people capable and knowledgeable enough to resolve issues such as those asked here it's not a good idea to hack a system (of any kind) that will leave you in the situation you are in.
I'm not sure I can put it any better but you should *never* back yourself into a corner where it becomes difficult or impossible to upgrade Moodle.
It's not hard..
- don't hack core Moodle
- don't add optional plugins unless (a) the are not and never will be mission critical or (b) they appear to be well supported and/or you have the skill and motivation to support them yourself.
Vinod could have installed a new version of Moodle 2.8 and tried it several times over while we have been discussing it.
I don't wish to sound unhelpful (no more than usual anyway), but I don't see this as a general issue. If it matters to him that it passed this rather arbitrary audit then he needs to do some work. If it still doesn't work, then the next step is to raise a security report in the bug tracker. However, there is absolutely no point doing this for 1.9 as it will be ignored.
Dear Miller,
I agree and doing some R & D to find out where "MoodleSession" is very first time generating so that I can re-generated this session key.
Thanks and lot and reply me back
Vinod Kumar
