search cancel

Disabling CBC cipher for the Endpoint Protection Manager

book

Article ID: 257539

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

NMAP vulnerability testing performed on a server running the Symantec Endpoint Protection Manager (SEPM) may throw an alert for use of a weak CBC cipher.  To address this alert, and to mitigate against possible exploitation attacks against the weak cipher it becomes necessary to disable the weak CBC cipher on the SEPM server.  

Cause

Vulnerable cipher which may need to be disabled by some organizations to comply with vulnerability scanning requirements

Resolution

To disable CBC for client communications and SEPM Reporting functions, please make the following changes:
 

1.) Create backups first, then edit the ssl.conf and sslForClients.conf files within the following path:
 
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl

2.) Locate the following lines - the same lines will be found in both files:
 
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:3DES:!RC4

3.) Locate the line containing string SSLCipherSuite and at the end of line add: "!SHA1:!SHA256:!SHA384" without double quotes. ( both the files ) 
 
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!SHA1:!SHA256:!SHA384

4.) Save the changes made to each file.
 
5.) Reboot the SEPM server, or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.

 

To disable CBC for internal SEPM server communications and web services:

  1. Create a backup of the following files
    • .../tomcat/conf/server.xml
    • .../tomcat/instances/sepm-api/conf/server.xml
  2. Edit .../tomcat/conf/server.xml
    1. Locate the line containing the string SSLCipherSuite and at the end of the line add: "!SHA1:!SHA256:!SHA384" without double quotes for the files.(example below)
      • SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!SHA1:!SHA256:!SHA384
    2. Save the file
  3. Repeat Step 2 for the file .../tomcat/instances/sepm-api/conf/server.xml
  4. Restart the following SEPM Services
    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager API Service
    • Symantec Endpoint Protection Manager Webserver
 
 
 

Additional Information

NMAP test scan can be done for the ports in question through command line: - 

C:\Users\Administrator>nmap --script ssl-enum-ciphers -p 8443 xx.xx.xx.xx