UIM Vulnerabilities: SSLv3 and TLS 1.0 detected

book

Article ID: 210695

calendar_today

Updated On:

Products

DX Infrastructure Management

Issue/Introduction

The following vulnerabilities were detected

48003   "The following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak.

|-Subject             : C=SG/ST=Singapore/L=Singapore/O=MAS/OU=ITD/[email protected]/CN=Tunnel CA - MP01_primary_hub

|-Signature Algorithm : SHA-1 With RSA Encryption

|-Valid From          : Jun 17 09:04:20 2017 GMT

|-Valid To            : Jun 16 09:04:20 2027 GMT

 

|-Subject             : C=SG/ST=Singapore/L=Singapore/O=MAS/OU=ITD/[email protected]/CN=xx.xxx.xx.xxx

|-Signature Algorithm : SHA-1 With RSA Encryption

|-Valid From          : Jun 17 09:04:21 2017 GMT

|-Valid To            : Jun 16 09:04:21 2027 GMT"

 

4334      "The following certificates were part of the certificate chain

sent by the remote host, but contain RSA keys that are considered

to be weak :

 

|-Subject        : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown

|-RSA Key Length : 1024 bits"

 

 

4334      "Vulnerable connection combinations :

 

  SSL/TLS version  : TLSv1.0

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)

 

  SSL/TLS version  : TLSv1.0

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make    the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)

 

  SSL/TLS version  : TLSv1.1

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make    the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)

 

  SSL/TLS version  : TLSv1.1

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make

    the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)"

 

4334      Plugin Output: TLSv1 is enabled and the server supports at least one cipher.

 

 

Environment

Release : 20.3

Component : UIM OPERATOR CONSOLE - ALARM VIEWER

Resolution

Please find the answers inline in bold

48003   "The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak

|-Subject             : C=SG/ST=Singapore/L=Singapore/O=MAS/OU=ITD/[email protected]/CN=Tunnel CA - MPNIMP01_primary_hub

|-Signature Algorithm : SHA-1 With RSA Encryption

|-Valid From          : Jun 17 09:04:20 2017 GMT

|-Valid To            : Jun 16 09:04:20 2027 GMT

 

|-Subject             : C=SG/ST=Singapore/L=Singapore/O=MAS/OU=ITD/[email protected]/CN=xx.xxx.xx.xxx

|-Signature Algorithm : SHA-1 With RSA Encryption

|-Valid From          : Jun 17 09:04:21 2017 GMT

|-Valid To            : Jun 16 09:04:21 2027 GMT"

Secure version of hub uses sha384 hash under sha384ECDSA signature algorithm.

 

4334      "The following certificates were part of the certificate chain

sent by the remote host, but contain RSA keys that are considered

to be weak :

 

|-Subject        : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown

|-RSA Key Length : 1024 bits"

Secure version of hub uses ECDSA (Elliptic Curve Digital Signature Algorithm). ECDSA uses DSA instead of RSA.

 

4334      "Vulnerable connection combinations :

 

  SSL/TLS version  : TLSv1.0

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make  the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)

 

  SSL/TLS version  : TLSv1.0

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make

    the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)

 

  SSL/TLS version  : TLSv1.1

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make  the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)

 

  SSL/TLS version  : TLSv1.1

  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA

  Diffie-Hellman MODP size (bits) : 1024

    Warning - This is a known static Oakley Group2 modulus. This may make the remote host more vulnerable to the Logjam attack.

  Logjam attack difficulty : Hard (would require nation-state resources)"

 

4334      Plugin Output: TLSv1 is enabled and the server supports at least one cipher.

 

Both secure and non-secure Hub uses TLS1.2 in 9.32 version. Hub is not using TLS1.0 or TLS1.1 anymore. The suggestion is to use secure version of hub & robot 9.32 to avoid these vulnerabilities