Mitigating TLS ROBOT vulnerablity for DX UIM - CVE-2017-6168 CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-12373 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081
search cancel

Mitigating TLS ROBOT vulnerablity for DX UIM - CVE-2017-6168 CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-12373 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081

book

Article ID: 379945

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Our security scan has detected one or more of the following vulnerabilities for the DX UIM Admin Console and/or Operator Console, identified as "TLS ROBOT" vulnerability-

CVE-2017-6168
CVE-2017-17382
CVE-2017-17427
CVE-2017-17428
CVE-2017-12373
CVE-2017-13098
CVE-2017-1000385
CVE-2017-13099
CVE-2016-6883
CVE-2012-5081 

How can we mitigate this?

Cause

This represents a vulnerability in HTTPS  for certain cipher suites that can allow a man-in-the-middle attacker to decrypt SSL traffic which they have captured.

Resolution

To eliminate the vulnerable cipher suites, take the following steps on each wasp probe in the environment.  There will be at least the following wasp probes:

1. The primary hub (hosts Admin Console)
2. CABI server
3. Operator Console (in the case of multiple nodes, each Operator Console node will have its own wasp probe).

For each wasp probe, take the following steps:

  1. edit the wasp.cfg using a text editor or Raw Configure
  2. underneath the <setup> section, locate the <https_connector> section.
  3. If there is a key called "ciphers" here, with a list of ciphers, delete this key.
  4. go back up to the <setup> section and locate the https_ciphers key.  
  5. Edit the value to contain only the following list of ciphers:

    https_ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_CHACHA20_POLY1305_SHA256

Additional Information