Disabling CBC cipher for the Endpoint Protection Manager
Article ID: 257539
Updated On:
Products
Endpoint Protection
Issue/Introduction
NMAP vulnerability testing performed on a server running the Symantec Endpoint Protection Manager (SEPM) may throw an alert for use of a weak CBC cipher. To address this alert, and to mitigate against possible exploitation attacks against the weak cipher it becomes necessary to disable the weak CBC cipher on the SEPM server.
Cause
Vulnerable cipher which may need to be disabled by some organizations to comply with vulnerability scanning requirements
Resolution
To disable CBC for client communications and SEPM Reporting functions, please make the following changes:
1.) Create backups first, then edit the ssl.conf and sslForClients.conf files within the following path:
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
2.) Locate the following lines - the same lines will be found in both files:
####APACHE_DIRECTIVE_OVERRIDE for_12.1.2.2
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:3DES:!RC4
3.) Locate the line containing string SSLCipherSuite and at the end of line add: "!SHA1:!SHA256:!SHA384" without double quotes. ( both the files )
####APACHE_DIRECTIVE_OVERRIDE for_12.1.2.2
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!SHA1:!SHA256:!SHA384
4.) Save the changes made to each file.
5.) Reboot the SEPM server, or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
To disable CBC for internal SEPM server communications and web services:
- Create a backup of the following files
- .../tomcat/conf/server.xml
- .../tomcat/instances/sepm-api/conf/server.xml
- Edit .../tomcat/conf/server.xml
- Locate the line containing the string SSLCipherSuite and at the end of the line add: "!SHA1:!SHA256:!SHA384" without double quotes for the files.(example below)
- SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!SHA1:!SHA256:!SHA384
- Save the file
- Locate the line containing the string SSLCipherSuite and at the end of the line add: "!SHA1:!SHA256:!SHA384" without double quotes for the files.(example below)
- Repeat Step 2 for the file .../tomcat/instances/sepm-api/conf/server.xml
- Restart the following SEPM Services
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver
Additional Information
NMAP test scan can be done for the ports in question through command line: -
C:\Users\Administrator>nmap --script ssl-enum-ciphers -p 8443 xx.xx.xx.xx
Feedback
Yes
No
Powered by
