We need help in fixing of some vulnerabilities on CA WAAE 12.0.1 server with EEM utility.
I've got a list of vulnerabilities from Qualys, that use port 509. As I understand, all of them belong to dxserver or EEM.
- Secure Sockets Layer/Transport Layer Security (SSL/TLS) Use of Weak Cipher Rivest Cipher 4 (RC4/ARC4/ARCFOUR)
- SSL Server Allows Anonymous Authentication Vulnerability
- Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
Release : 12.0
Component : CA Workload Automation AE (AutoSys)
You can configure a cipher of your wish(CA Directory supported) so that 509 starts communicating with that cipher and does not allow NULL ciphers.
This can be done in the following dxc file.
/opt/CA/Directory/dxserver/config/ssld/itechpoz.dxc
#
# eiam repository
#
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "ECDHE-RSA-AES256-GCM-SHA384"
protocol = tls
};
OpenSSL s_client request output after enabling ECDHE cipher
#openssl s_client -connect CADirectory-Hostname.Company.com:509 -cipher aNULL
WARNING: can't open config file: C:/OpenSSL/openssl.cnf
CONNECTED(00000238)
25612:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 170 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1638514009
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Also CVE-2016-2183, CVE-2013-2566 and CVE-2015-2808 can be avoided by configuring the ECDHE-* or DHE-* suite of ciphers.