Solved

K2 5.5 SourceCode.PDFConverter service SSL vulnerabilty

  • 7 June 2022
  • 1 reply
  • 4 views

Hi -



We are running K2 5.5, with two nodes.  A security scan of the nodes pinged port 5630 as vulnerable to the TLS ROBOT vulnerability. CVE's include: CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081



 



Looking that port/PID up - returns the PDF Converter service.



What steps are available to remediate this vulnerability?  We are up to date with our patches.



 



I did find this article in the KB: https://community.nintex.com/t5/Best-Practices/PDF-Converter-Server-Side-Request-Forgery-Prevention/ta-p/207532



 



Could I simply whitelist 127.0.0.1 and be good?  Is there any reason that service needs that port open to any other hosts other than itself?



 



Thank you,



Tim



 

icon

Best answer by ChristoffB 8 June 2022, 11:30

View original

1 reply

Hi Tim



 



Please note that the CVE numbers that are listed are specific to other products running on the same port as the pdf service or which are vulnerable to the TLS ROBOT vulnerability, and are not directly associated with the K2 product. 

The TLS ROBOT vulnerability is present whenever TLS_RSA* cipher suites are available for encryption on an endpoint or service (More info: https://www.robotattack.org/)
K2 does not directly interact with the TLS protocol and relies on the underlying operating system's configuration and TLS negotiation, which means that instead of the pdf service being directly vulnerable, it is more related to the Windows Server it is running on and the windows configuration that is allowing TLS_RSA* cipher suites to be used. 

The PDF service is an internal service and does not require access from the internet which reduced the risk significantly, and actually doesn't need to be exposed to the rest of your network because calls are made from the K2 Host Server service directly to the PDF service which is on the same machine...
For this reason, the simplest mitigation is to block incoming traffic to port 5630 on your windows firewall. 
The most complete mitigation would be to disable all TLS_RSA* cipher suites on the windows server using the Disable-TlsCiphersuite powershell commands
https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsciphersuite?view=windowsserver2022-ps
Please note however that this affects all services running on the server and great care should be taken when doing so. 

Just as a last note - The KB article that was shared in your original post would have no effect to prevent TLS ROBOT and is to restrict what sites/endpoints the PDF service can connect to and does not prevent other services/addresses to connect to it - The configuration restricts outbound communication, not inbound. 

Hope this helps

Reply