DX Application Performance Management

  • Private Community

  • 1.  Nessus Scan Vulnerability Remediation - SSL Medium Strength Cipher Suites - Need Assistance

    Posted Feb 08, 2019 02:09 PM

    My prod & dev MoM (EM) server has come under a Nessus scan vulnerability that needs immediate remediation. I've also opened up a case (01285297) with CA Support. I'd also like to put it out the Community in-parallel to get additional assistance.

     

    Since this is a security hit for my org, it needs to be resolved ASAP or it could affect "authority to operate" for APM altogether.

     

    Thanks in advance for any/all help with this issue.

     

    Here are the details of the vulnerability:

     

    Vulnerabilities

    42873 - SSL Medium Strength Cipher Suites Supported
    Synopsis
    The remote service supports the use of medium strength SSL ciphers.
    Description
    The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

     

    Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
    See Also
    Solution
    Reconfigure the affected application if possible to avoid use of medium strength ciphers.
    Risk Factor
    Medium
    Plugin Output

    tcp/5443


    Here is the list of medium strength SSL ciphers supported by the remote server :

     

    Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

     

    EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 
    ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 
    DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 

     

    The fields above are :

     

    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}


  • 2.  Re: Nessus Scan Vulnerability Remediation - SSL Medium Strength Cipher Suites - Need Assistance

    Posted Feb 08, 2019 02:11 PM

    Yanna - please post your findings here if you'd like. 



  • 3.  Re: Nessus Scan Vulnerability Remediation - SSL Medium Strength Cipher Suites - Need Assistance

    Posted Feb 08, 2019 02:16 PM

    Feedback from our Security Team on this vulnerability...

     

    "I'm assuming that Nessus is querying the port and geting a response back from it which is how it's identifing the vulnerability. Question is, what is it, on the server, that responds to traffic on that port. Thats the config you probably need to look at"

     

    So, the question is...which config file would this be in? I've already updated the following properties in MoM's "em-jetty-config.xml" file and still getting hit by the above vulnerability.

     

          <Set name="cipherSuites">
             <Array type="java.lang.String">
                <Item>ECDHE-RSA-AES128-GCM-SHA256</Item>
                <!-- Item>SSL_DH_anon_WITH_RC4_128_MD5</Item -->
             </Array>
          </Set>

     

          <Set name="protocols">
             <Array type="java.lang.String">
                <Item>TLSv1.2</Item>
                   <!-- <Item>TLSv1.1</Item> -->
                   <!-- <Item>TLSv1</Item> -->
             </Array>
          </Set>

     

          <Set name="ExcludeProtocols">
             <Array type="java.lang.String">
                <Item>SSLv3</Item>
             </Array>
          </Set>



  • 4.  Re: Nessus Scan Vulnerability Remediation - SSL Medium Strength Cipher Suites - Need Assistance

    Broadcom Employee
    Posted Feb 11, 2019 09:32 AM

    Dear Manish:

    We met on this Friday. Note that  you have a case and a community post and appears to be a configuration setting. I suggest working through the case since this is a tough issue to resolve without webex.

    Thanks

    Hal



  • 5.  Re: Nessus Scan Vulnerability Remediation - SSL Medium Strength Cipher Suites - Need Assistance
    Best Answer

    Posted Feb 11, 2019 12:54 PM

    Worked with CA Support last week on Friday. The solution was to make changes to java.security file.

    -----------

    In IntrosocpeEnterpriseManager.properties file it mentions the following:'

     

    # Set the enabled cipher suites.
    # A comma-separated list of cipher suites.
    # If not specified, use the default enabled cipher suites.
    #introscope.enterprisemanager.ciphersuites.channel2=

     

    Since the above property is commented out, it means that EM (in this case the MoM) is using the default java security policy located under <EM_Home>/jre/lib/security/java.security. This is the current property:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

    Comment out the above property, copy the above property and change it to (ensure you backup the file before making any changes to it):

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, MD5, DSA, DESede, DES, RSA keySize < 2048

     

    Save the the file, and then restart the EM.

    This should take care of the SSLv3 as well as medium to weak cipher suite issue on your Nessus security scans.

    Thanks Hallett_German and Yanna for all your help.

     

    Manish