UIM - udm_manager probe vulnerability test

book

Article ID: 209130

calendar_today

Updated On:

Products

DX Infrastructure Management

Issue/Introduction

During a vulnerability test the port 4334 was flagged out having an secure cert from CA UIM.

Assuming it is from udm_manager probe which uses this port.

The main topic flags for this vulnerability test is,
SSL Certificate Signed Using Weak Hashing Algorithm,
SSL Certificate with Wrong Hostname
SSL Certificate Cannot Be Trusted


Is there any work around this

Below is a example of the findings for SSL Certificate Cannot Be Trusted

The following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak.

|-Subject : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown |-Signature Algorithm : SHA-1 With RSA Encryption |-Valid From : Jan 29 19:36:36 2012 GMT |-Valid To : Jan 26 19:36:36 2022 GMT

Is it possible to not use this probe also?

What functionality will be affected?

 

Environment

Release : 9.2.0/ 20.x
Component : UIM - UDM

Resolution

Regarding port 4334 ,this port is used by the udm_manager probe to facilitate queries against the UDM Data which includes interface inventory data. 

In a future UIM release, the udm_manager probe is being deprecated so this port will no longer be needed, but Broadcom is not aware of any specifically exploitable vulnerability in the probe. 

If security or vulnerability of this port is a concern it would be safe to use a firewall to block communication to port 4334 from the outside world. 

Only the primary hub (and any HA/failover hub) and the UMP robot need access to this port internally to UIM. 

In addtion for Self-Signed certificate, since udm_manager probe is used by other UIM components only, unlike web servers,certificate used by udm_manager is mainly used to setup connection but not for component identity.Also transmitted data is metrics metadata that is interpreted only by internal UIM components . 

Below are some additional steps which can be followed to disable weak algorithms and TLS versions if required for this probe 

Note:Might need to add a space after each algorithm

a. Create a properties file with list of all known weak ciphers like below: 
The below example contains some of the weak ciphers and you modify as per your security policy.

File name in Udm_manager probe folder: disable_ciphers.properties

jdk.tls.disabledAlgorithms=TLSv1, TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 768,TLSv1,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA

 

b. Update the Udm_manager configuration to use following java configuration parameters:

java_opts = -server -XX:ErrorFile=./hs_err_pid.log -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -Djava.security.properties=disable_ciphers.properties

 

c. Restart Udm_manager.

 

Test the connectivity using following commands:

openssl s_client -connect xxx.xxx.xxx.xxx:4334 -tls1

openssl s_client -connect xxx.xxx.xxx.xxx:4334 -tls1_1

openssl s_client -connect xxx.xxx.xxx.xxx:4334 -tls1_2