TLS Protocol Session Renegotiation Security Vulnerability

Looking at some of the previous blogs, we are in a similar situation. The server is fully patched and IIS Crypto has also be ran. We are noticing that the tentacle is allow TLS Protocol Session Renegotiation. Is there any remediation on this ?

R
RENEGOTIATING
depth=0 CN = Octopus Tentacle
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = Octopus Tentacle
verify return:1

Hi @rrizkallah,

Thanks for getting in touch! This vulnerability is something Octopus fully relies on the operating system for, so some system configuration in your OS would need to be changed. We’ve had a look through the CVE, and it points to these patches. I would also recommend ensuring that SSLv3/TLS1.0/TLS1.1 are all disabled.

I hope this helps! Please let me know how you go or if you have any further questions going forward.

Best regards,

Kenny

Thanks Kenneth. We are patch all the way through the latest CU which was release by MS on 12/10. Here is the link In addition, IIS crypto has been ran via best practices.

.
In qualys, the scan specifically specifies 10933 which is what the tentacle is listening on. Here is a screen shot showing that the vulnerability is on port 10933.
. In my original post I had pasted a openssl response showing me connectivity over port 10933 and the only thing listening on that box is the tentacle. Doing more testing, I changed the tentacle from “Listening” to “Polling” and that did resolve the issue. So that is why i really think this is a tentacle vulnerability and not os. Any other suggestions ?

Took it a step further and disabled TLS 1.1 and still able to connect

Hi @rrizkallah,

Thanks for following up and providing that additional information. Are you running IISCrypto on the Octopus Server and the server that Tentacle is running on? In addition to disabling TLS 1.1 on the server side, did you also disable it on the Tentacle side as well?

I look forward to hearing back!

Best regards,

Kenny

Hello Kenny,
Sorry for the delay. I verified and yes its on both sides.

Hi @rrizkallah,

Thanks for keeping in touch, and my apologies about the delay over the holiday break! Just letting you know here that we’ve received your email and this has been escalated to one of our engineers who will be looking into this further. Please don’t hesitate to reach out if you have any further questions or concerns along the way. :slight_smile:

Best regards,

Kenny

Thanks Kenneth.

This is very critical to our company. We are going through a big security audit and we need to remediate this ASAP.

Ramy