vulnerability assessment and penetration testing for UMP Servers(Cipher suites)

book

Article ID: 128457

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

Currently our UMP servers are in DMZ zone and we are planning to publish UMP links over internet. As a part of internal process we have done vulnerability assessment for the UMP servers and team has highlighted few points in reports. Please find the same in attachment report.


<Please see attached file for image>

User-added image

Environment

UIM 8.x

Resolution

Cipher vulnerability issue is fixed. using the tool 'nmap' to find the cipher vulnerabilities and based on the output of the tool we have fixed the vulnerabilities. If customers is using a different tool, then vulnerabilities might vary. In that case we need complete scan report of the vulnerabilities. Please follow the below steps to apply the fix at customer's environment.

1) Open Infrastructure Manager
2) Select wasp probe in UMP machine
3) Open Raw Configure of Wasp probe (Shift key + mouse right click)
4) Select 'setup' in the left pane
5) Select https_ciphers key in the right pane and click on 'Edit key' button
6) In the opened popup, copy  'Enter new_value' filed value and save it some where as a backup.
7) Copy the below text

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF

8) Delete the existing value of  'Enter new_value' filed and paste the above copied value in the field.
9) click 'Ok' to save
10) Now wasp will restart

Additional Information

When we are trying to access the website after entering the URL, the browser attempts to establish the connection with the host server, 
checking for a valid SSL certificate. If the browser encounters issues while verifying these checks, it produces ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
Please verify whether it throws error on a particular browser or in all browsers. In the screen shot customer is using IE. Check with Chrome as well. Some times this issue comes when the browser is not upgraded properly.

Try these below methods and let us know whether issue is resolved or not.

Method 1. Delete Browser Cache and Cookies:

Open Google Chrome and go to Menu > Settings
Scroll down and click Advanced
Locate Clear browsing data and click on it
Then, select time ranga as 'All time', select Cookies and other site data and Cached images and files, and press Clear data

Method 2. Enable TLS 1.3

Open Google Chrome browser.
Now, type chrome://flags into the address field and press Enter.
Press CTRL + F, type TLS 1.3 and press OK to locate the section
Enable the TLS 1.3.

Watch this video for more information.

https://www.youtube.com/watch?v=SV2mq8Mgd8g

Attachments

1558689377839000128457_sktwi1f5rjvs16fxm.png get_app