search cancel

Vulnerabilities under port 509

book

Article ID: 230168

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

We need help in fixing of some vulnerabilities on CA WAAE 12.0.1 server with EEM utility.
I've got a list of vulnerabilities from Qualys, that use port 509. As I understand, all of them belong to dxserver or EEM.
- Secure Sockets Layer/Transport Layer Security (SSL/TLS) Use of Weak Cipher Rivest Cipher 4 (RC4/ARC4/ARCFOUR)
- SSL Server Allows Anonymous Authentication Vulnerability
- Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

 

Environment

Release : 12.0

Component : CA Workload Automation AE (AutoSys)

Resolution

You can configure a cipher of your wish(CA Directory supported) so that 509 starts communicating with that cipher and does not allow NULL ciphers.

This can be done in the following dxc file.

/opt/CA/Directory/dxserver/config/ssld/itechpoz.dxc

#
# eiam repository
#
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "ECDHE-RSA-AES256-GCM-SHA384"
protocol = tls
};

OpenSSL s_client request output after enabling ECDHE cipher

#openssl s_client -connect blrtest001189.bpc.broadcom.net:509 -cipher aNULL
WARNING: can't open config file: C:/OpenSSL/openssl.cnf
CONNECTED(00000238)
25612:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 170 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1638514009
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Also CVE-2016-2183, CVE-2013-2566 and CVE-2015-2808 can be avoided by configuring the ECDHE-* or DHE-* suite of ciphers.