TLS/SSL Misconfiguration - Cryptographic Failures
Article ID: 279124
Updated On:
Products
Issue/Introduction
It was observed that, the application is vulnerable to LUCKY13.
This server offers ciphers with CBC mode of operation. Potentially VULNERABLE when uses cipher block chaining (CBC) ciphers with TLS
Environment
UIM 20.4.x 23.4.x
component :wasp /OC /Adminconsole
Resolution
Remove the CBC related ciphers
Example
https_ciphers = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
There are two ways to modify, remove or add ciphers in WASP for both adminconsole and OC wasp
Note: Please take back up of https_ciphers value before modifying
1. Open Raw Configuration of WASP in IM (Infrastructure Manager),
2. select https_ciphers and click EDIT Key
3. Change or Modify the values with comma separated
or
Go to ~Program Files (x86)\Nimsoft\probes\service\wasp open wasp.cfg file
change values of https_ciphers
Then
1. Deactivate WASP
2. Delete work folder in ~Program Files (x86)\Nimsoft\probes\service\wasp
3. Activate WASP
Also make sure that the certificate you add supports the ciphers you add in wasp
Additional Information
Feedback
