Qualys scan ID 38142 - SSL Server Allows Anonymous Authentication Vulnerability - on dxserver port 509
search cancel

Qualys scan ID 38142 - SSL Server Allows Anonymous Authentication Vulnerability - on dxserver port 509

book

Article ID: 232099

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Security scanning team identified a sev. 4 vulnerability (QID 38142) - SSL Server Allows Anonymous Authentication Vulnerability on TCP port 509 which belongs to dxserver component:

# netstat -ntulp | grep :509
tcp        0      0 <ip address>:509       0.0.0.0:*               LISTEN      3545545/dxserver
udp        0      0 0.0.0.0:509             0.0.0.0:*                           3545545/dxserver

Would you please provide your statement if it is possible to mitigate this vulnerability? Suggested action from Qualys is this: "Disable support for anonymous authentication to mitigate this vulnerability."

 

Environment

Release : 12.0

Component : Embedded Entitlements Manager

Resolution

You can configure a cipher of your wish so that 509 starts communicating with that cipher and does not allow NULL ciphers.

This can be done in the following dxc file.

/opt/CA/Directory/dxserver/config/ssld/itechpoz.dxc

#
# eiam repository
#
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "ECDHE-RSA-AES256-GCM-SHA384"
protocol = tls
};

OpenSSL s_client request output after enabling ECDHE cipher

#openssl s_client -connect <eem hostname>:509 -cipher aNULL
WARNING: can't open config file: C:/OpenSSL/openssl.cnf
CONNECTED(00000238)
25612:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 170 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1638514009
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

...

cipher = "ECDHE-RSA-AES256-GCM-SHA384"

Certificates were generated upon the installation as follows:

 

[<EEM hostname]>modifycerts

INFO  - Enter Certificate Key Length [default = 1024]

INFO  -    [1] 1024

INFO  -    [2] 2048

INFO  -    [3] 4096

Select key length from [1 - 3] : 2

Enter Digest Algorithm [default = SHA256]

INFO  - Enter Digest Algorithm [default = SHA256]

INFO  -    [1] SHA1

INFO  -    [2] SHA256

INFO  -    [3] SHA384

INFO  -    [4] SHA512

Select Digest algorithm from [1 - 4] : 2

=======================================================

INFO  - Summary

=======================================================

INFO  - Upgrading all certificates to key length: [2048]

INFO  - Upgrading all certificates to [digest algorithm : SHA256]

Powered by Wolken Software