UIM vulnerability scan results - response requested as of DX UIM 20.4 CU8
search cancel

UIM vulnerability scan results - response requested as of DX UIM 20.4 CU8

book

Article ID: 269924

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Appreciate your support to inform us regarding these vulnerabilities:

1- Upgrade Apache log4j from version 2.16.0 to 2.17.1

CVE-2019-17571,CVE-2020-9488,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307,CVE-2023-26464, CVE-2021-44832

as per this KB UIM Log4j vulnerability (CVE-2021-44832) (broadcom.com)

it will be mitigated in the next release, so please provide us with the date of the next release.

2- Microsoft Silverlight Unsupported Version Detection (Windows)

Can we uninstall this application on the UIM Servers or is this application used in UIM?

3- SSL Certificate cannot be trusted

Plugin Output: 
The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority :

|-Subject : CN=<server_name>.example.com
|-Issuer  : CN=<server_name>.example.com

4- SSL Self-Signed Certificate:

Plugin Output: 
The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities: -Subject : CN=<server_name>.example.com

5- Terminal Services Doesn't Use Network Level Authentication (NLA) Only:

Plugin Output: Nessus was able to negotiate non-NLA (Network Level Authentication) security.

6- As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors, so should we disable TLS1.0 and TLS1.1 and how can we disable it

7- Windows Speculative Execution Configuration Check:

Plugin Output: Current Settings:

  - SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask: Not Set
  - SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride: Not Set

-----------------------------------

Recommended Settings 1:
  - SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask: 0x00000003 (3)
  - SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride: 0x00000048 (72)
 
CVEs Covered:
    CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-3615, CVE-2018-3620, CVE-2018-3639, CVE-2018-3646, CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11135
  Note: Hyper-Threading enabled.

-----------------------------------

Recommended Settings 2:
  - SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask: 0x00000003 (3)
  - SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride: 0x00002048 (8264)
  CVEs Covered:
    CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-3615, CVE-2018-3620, CVE-2018-3639, CVE-2018-3646, CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11135
  Note: Hyper-Threading disabled.

8- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck):

Plugin Output: 

 Nessus detected the following potentially insecure registry key configuration:

    - Software\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck is not present in the registry.
    - Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck is not present in the registry.

Environment

  • Release: 20.4 CU8

Cause

  • Security

Resolution

1- Upgrade Apache log4j from version 2.16.0 to 2.17.1


Please refer to: https://knowledge.broadcom.com/external/article/230333/uim-and-log4j2-vulnerabilities-cve20214.html 

***UIM is *NOT* impacted by CVE-2021-45105***

***Also, the vulnerability in question, CVE-2021-44832, is classified as "Medium" and for UIM is considered LOW risk.  We plan to update to log4j 2.17.1 (or whatever might be available next) as part of the regularly planned and scheduled probe updates.  No hotfixes will be released for this vulnerability per Broadcom policy, but you should update to the latest available probe versions as they are released.***
***UIM is currently using log4j 2.20.0 for most of the components. Minimum version of log4j used in UIM is 2.17.1 and no component in UIM is using version  2.16.0.***
Note: DX UIM 23.4 is now GA (JAN 2024).


2- Microsoft Silverlight Unsupported Version Detection (Windows)

Can we uninstall this application on the UIM Servers or this application is a primary application on the UIM Server.
***Yes, it can be uninstalled as we don't use or need Silverlight, so Silverlight can be uninstalled on the UIM servers.***

 

3- SSL Certificate cannot be trusted

***Looks like you are using self-signed certificates. They can be replaced with Authority-Signed certificates.***
***In other words, if you are using the default certificates which are self-signed, you can and should use third-party certificates***

 

4- SSL Self-Signed Certificate:

***Same as above, looks like you are using self-signed certificates. They can be replaced with Authority-Signed certificates.***

 

5- Terminal Services Doesn't Use Network Level Authentication (NLA) Only:

Plugin Output: Nessus was able to negotiate non-NLA (Network Level Authentication) security.
***This indicates that your remote Terminal Services doesn't use Network Level Authentication only
***We dont control this and it doesn't affect UIM. You can choose to "Enable Network Level Authentication (NLA) on the remote RDP server."
This is generally done on the 'Remote' tab of the 'System' settings on Windows.***
***UIM is NOT impacted by NLA**

 

6- As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors, so should we disable TLS1.0 and TLS1.1 and how can we disable it.
***Yes, wasp can use TLS1.2. To do this, the 'https_port' parameter should be used in the wasp.cfg. By default wasp.cfg has http_port confgured, so remove it and use only https_port in wasp.cfg.***
***UIM supports TLS 1.2 and with TLS1.2***.

 

7- Windows Speculative Execution Configuration Check:

-----------------------------------
***These suggested settings are OS-related to mitigate the vulnerabilities and should be added as per recommendations. Note that DX UIM Server is not using those settings so changing them does not affect UIM Server functionality.***
**NO IMPACT to DX UIM***

8- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck).
***These suggested settings are OS-related to mitigate the vulnerabilities and should be added as per recommendations. Note that DX UIM Server is not using those settings so changing them does not affect UIM Server functionality.***
**NO IMPACT to DX UIM***

Additional Information

UIM Primary Servers CVE-2023-28304 vulnerability

Powered by Wolken Software