POODLE vulnerability: Disabling SSL v3 on the Nimsoft Hub

book

Article ID: 34613

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

 

Recently, a vulnerability known as "POODLE" was discovered in the SSL v3 protocol.


Because exploiting this vulnerability requires a "man-in-the-middle" attack, we consider it relatively unlikely that this exploit could be used to compromise or gain unauthorized access to a Nimsoft system. In most cases, an attacker who has access and knowledge necessary to implement this style of attack specifically in a Nimsoft hub environment has likely already got enough access to make exploiting this bug non-useful. ?However, many organizations are requiring that SSL v3 be disabled in products which could potentially be vulnerable, and this is possible to do with the Nimsoft hub and tunnel configuration, so we've published these instructions for those who require it.


 

Environment

Release: CNMSPP99000-8.3-Unified Infrastructure Mgmt-Server Pack-- On Prem
Component:

Resolution

To disable SSL v3 for hub-to-robot communications:


1. Open the hub GUI

2. From the main screen click the "Settings" button.

3. From the Advanced Settings window navigate to the SSL tab

4. Enter the following string for "Cipher Type":


RC4-SHA


This will disable all POODLE-vulnerable ciphers.



Automated scanning tools may still report that SSLv3 is enabled - but the ciphers which specifically can be exploited by POODLE will be disabled, so the system will no longer be vulnerable to the exploit.


It is possible that some scanning tools may no longer report the vulnerability if you change the above to RC4-SHA1 instead of RC4-SHA, but our testing has shown that RC4-SHA is not actually vulnerable to POODLE.


To disable SSL v3 for hub-to-hub (tunnel) communications, take the following steps on all tunnel server hubs:


1. Open the hub GUI

2. Navigate to the "Tunnels" tab

3. Navigate to the "Server Configuration" tab

4. under the "Security Settings" section, choose the "Custom" radio button.

5. In the custom text box, enter the same string as above (RC4-SHA or RC4-SHA1).



IMPORTANT NOTE:  After making this change, you will need to re-create your tunnel client certificates and re-create your tunnel connections using these newly-generated certificates.


Hub GUI - Tunnel Tab

keywords: Robot version accepts SSLv3 connections connection ssl SSL v3 version 3 poodle vulnerability security concern concerns robot

Additional Information

The following custom cipher has also been reported by a customer to disable SSLv3 while providing greater encryption security:


DHE-RSA-AES256-GCM-SHA384

Attachments