Weak ciphers detected by vulnerability scanner on the ProxySG appliance management console on port 8082

book

Article ID: 168162

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When you conduct an internal network vulnerability test using different types of vulnerability scanner, results often indicate that the ProxySG appliance management console on port 8082 has a weak cipher suite and potential vulnerability.

Resolution

Perform the following tasks to resolve the issue.

Task 1: Determine the keyring that the Management Console uses:

  1. In the Management Console, select Services > Management Services.
  2. On the Management Services tab, select HTTPS Console and then click Edit.
  3. On the dialog that appears, locate the keyring used and record its name.

Task 2: Remove ciphers with Medium or Low strength from the keyring:

  1. In the Management Console, select Configuration > SSL > Device Profiles.
  2. In the Profiles list, select the keyring that is assigned to the Management Console and click Edit.
  3. On the dialog that appears, select Edit Ciphers.
  4. Under Selected Ciphers, select ciphers that have Medium or Low strength and then click > > Remove.
  5. Click OK > OK > Apply.
Task 3: Specify high-strength cipher suites for the HTTPS-Console keyring: 
  1. Log in to  Command line interface (CLI).
  2. Enter the following commands:

>enable
Enable Password: <password>
#conf t
Enter configuration commands, one per line.  End with CTRL-Z.
#(config)management-services
#(config management-services)edit HTTPS-Console
#(config HTTPS-Console)attribute cipher-suite des-cbc3-sha des-cbc3-md5 aes256-sha
  ok

After you apply these changes, the Management Console will show strong cipher suites with 256-bit encryption using any network vulnerability scanner.

Note: Please make sure that you enable HTTP-Console before making this change. If your browser does not support the selected cipher-suites, you'll need the HTTP-Console to access the ProxySG's Web Console. After the change to the cipher suites has been tested, you can disable the HTTP-Console.