MSL - MiCollab - HTTP Service enabled

[AH64Armament]

I have a site with MiCollab that just failed a security assessment probe because the MiCollab server has http (port 80) enabled. It redirects to https after a moment and that's good... however at the http splash, it shows the links to AWC User Portal, MiCollab End User Portal and Server Manager before it jumps to https.

The assessors say this is not secure and needs to be disabled.

The MiCollab is in server-gateway mode and we cannot set it into server-only mode due to some special circumstances.

Anyhow, Mitel support said that they cannot turn off http.

In the MBG settings there's port 6881 and it shows that port 80 is associated here. There doesn't appear to be a way to turn this off.

Has anyone run into this?
We're running
MSL 11.0.69
MBG 11.0.0.304
MiCollab 9.1.3.205-01

There's some updates available, but none that will affect this.

 

[Billz66]

yep we had to run some iptables commands to do this for one of our customers that needed to be PCI complient

ill see if i can find my notes

If I never did anything I'd never done before , I'd never do anything.....

 

[jpruder]

Webpage isn't vulnerable, only has the redirect

 

[AH64Armament]

Webpage isn't vulnerable, only has the redirect

I agree completley​

 

[AH64Armament]

Billz66 - if you have the notes, please email them to me at markc@phonesav.com

 

[Billz66]

I have flicked you an email with the script.
cant see why i cant post it here as well

was from 2011 so not sure of the mas version

#### TO MAKE THE PERMANENT SCRIPT ####

(SSH in to the box, log in as root)
[root@awc ~]# cd /etc/e-smith/templates/etc/rc.d/init.d/masq
[root@awc ~]# nano -wT 4 90InboundTCP09BlockHTTP
(Then paste in the following, note that there are only 3 lines, do not let anything word-wrap to the next line)

{
$OUT .= "/sbin/iptables -I \$NEW_InboundTCP --proto tcp --dport 80 -j DROP";
}

(Then press CTRL-O, Enter, CTRL-X to save and exit)

from memory it had an effect when trying to register new 53 series TW phones
- they did some sort of port 80 certificate request
[root@awc ~]# reboot


If I never did anything I'd never done before , I'd never do anything.....

 

[sarond]

Not sure what the new Lets Encrypt API uses on later apps (ACMEv2) but is could potentially break if using HTTP.

 

[AH64Armament]

Thank you Billz66 - We attempted to try that on our internal MSL - it still splashed with the links when we did http.
The customer is contacting the vendor that did the security probe to force an exception based on the info from Mitel.

 

[Billz66]

Mitel just released a new KMS article regarding port 80 . HO4203
they have warned that it will prevent lets encrypt being used

Check ports being listened to
grep Listen /etc/httpd/conf/httpd.conf


mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
touch /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35Listen80
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

sv-restart may be service affecting

recheck
grep Listen /etc/httpd/conf/httpd.conf


to revert the changes;
rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35Listen80
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith


They have advised that this should survive restarts and upgrades

If I never did anything I'd never done before , I'd never do anything.....

 

[jpruder]

Looks like it just eliminates that fragement 35Listen80 as the touch just creates the file name and cutom-templates override default. Still think it is not an issue and they should understand how this operates

 

[AH64Armament]

jpruder
The site managed to convince the "security company" to accept the http as it is since it does redirect.

Billz66 - I'm looking for that document now.