Disabling CBC cipher for the Endpoint Protection Manager
search cancel

Disabling CBC cipher for the Endpoint Protection Manager

book

Article ID: 257539

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

NMAP vulnerability testing performed on a server running the Symantec Endpoint Protection Manager (SEPM) may throw an alert for use of a weak CBC cipher.  To address this alert, and to mitigate against possible exploitation attacks against the weak cipher it becomes necessary to disable the weak CBC cipher on the SEPM server.  

Cause

Vulnerable cipher which may need to be disabled by some organizations to comply with vulnerability scanning requirements

Resolution

To disable CBC for client communications and SEPM Reporting functions, please make the following changes:
 

1) Create backups first, then edit the ssl.conf and sslForClients.conf files within the following path:
 
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl


2) Locate the following lines - the same lines will be found in both files:
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!kDH:!SHA1


3) A
t the end of line add: ":!SHA256:!SHA384" without double quotes. ( both the files ) 

SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!kDH:!SHA1:!SHA256:!SHA384

4) Save the changes made to each file.

5) Reboot the SEPM server or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.

To disable CBC for internal SEPM server communications and web services:

  • Create a backup of the following files
    • .../tomcat/conf/server.xml
    • .../tomcat/instances/sepm-api/conf/server.xml
  • Edit .../tomcat/conf/server.xml
    • Locate the line containing the string SSLCipherSuite, and at the end of the line, add: ":!SHA256:!SHA384" without double quotes for the files.(example below)
      • SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!kDH:!SHA1:!SHA256:!SHA384
    • Save the file.
  • Repeat Step 2 for the file .../tomcat/instances/sepm-api/conf/server.xml
  • Restart the following SEPM Services
    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager API Service
    • Symantec Endpoint Protection Manager Webserver

To disable the specific CBC and RSA: 

 To achieve this, you can convert them to the equivalent cipher suite keywords in OpenSSL:

  •  Navigate to <SEPM>tomcat\instances\sepm-api\conf
  • Locate server.xml and make a backup copy before edit
  • On lines 10 and 13, replace the content in SSLCipherSuite with the following

Example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM_8,TaLS_DHE_RSA_WITH_AES_128_CCM


Note: The value keywords may change based on the requirement.

  • Save the file and restart the SEPM API(Symantec Endpoint Protection Manager API Service) service.

Note: The original list of cipher suites was created for compatibility and includes less secure options but remains challenging to exploit. After replacing the list with a more secure one, you must ensure that communication via 8446 (SEPM API) continues functioning correctly.

Additional Information

NMAP test scan can be done for the ports in question through command line: - 

C:\Users\Administrator>nmap --script ssl-enum-ciphers -p 8443 xx.xx.xx.xx