Security Scan found Weak and Medium strength ciphers port 389&636

Similar Messages

• I recieveced a pop up from firefox stating mozilla security has found virsues and I need to protect my computer by starting a scan. Is this real or spam?

  http://radersea.co.cc/index.php?Q+XhEtS7bRxGVHqmM3tJQin2Ex74TjduoWnyqgfHpKvVMy9uhP0pS1EYq1DgGlvHuU2tYSogGew2dpp2qMTPzg
  This is where it comes from

  That pop-up wasn't from Mozilla, that was a fake website. You didn't download or install anything from there, did you?

• Failing PCI Compliance Scan - SSL Weak...

  Hello,
  I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
  I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
  Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
  Thank you in advance for your help,
  Christophe
  Threat ID: 126928
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Weak Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 126928
  Information From Target:
  Here is the list of weak SSL ciphers supported by the remote server :
  Low Strength Ciphers (< 56-bit key)
  SSLv2
  EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
  EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of weak
  ciphers.Details:
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
  Threat ID: 142873
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Medium Strength Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 142873
  Information From Target:
  Here are the medium strength SSL ciphers supported by the remote server :
  Medium Strength Ciphers (>= 56-bit and < 112-bit key)
  SSLv2
  DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
  SSLv3
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  TLSv1
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of
  medium strength ciphers.Details:
  The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

  Chris,
  As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
  Jason
  I do believe the ASA5505 are PCI 3.0 Compliant.

• SSL Medium Strength Cipher Suites Supported vulnerability

  Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
  Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
  Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
  Can someone point me in the right direction on how to re-configure the switch to pass this test?
  Thanks
  Poirot

  I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
  I would suggest you to configure keys of 1024 on these switches and try again.
  I hope it helps.
  PK

• TS3212 i am trying to download itunes and it shows it downloads until it gets to 99% and then it says it is running a security scan and then says it couldnt be downloaded?

  I am trying to donload itunes to my computer and it shows it downloads and then it says running security scan and it says it cannot be downloaded....

  Hi there krashman,
  I would recommend taking a look at the troubleshooting steps found in the article below.
  Trouble installing iTunes or QuickTime for Windows
  http://support.apple.com/kb/HT1926
  -Griff W.

• I opened the attachment on a malicious email in error on my IPad and have been informed by the genuine company that it will download malware software. Is this possible on my IPad or is there a way of running a security scan to see if it has been infected?

  I received an email that I now know to be malicious and inadvertently opened up the attachment on my IPad that I've been informed will download malware or a virus. Can my IPad be infected this way or does anyone know if there is a way of running a security scan to check if there is a problem? I do have the most up to date IOS software installed.

  There is no anti-malware for iOS, at least none that actually does anything useful. The odds of getting any malware infection via an email attachment on an iOS device is quite low - practically non-existent. Unless you are seeing any issues, there isn't much to do, other than deleting the email and being more cautious in the future.

• 802.1x and Security scanning

  Hello,
  Is it possible for our security team to security scan all hosts on the network if they are using 802.1x authentication? I am trying to ensure that we can meet security scanning requirements and still use the 802.1x port-based authentication function. If not the other alternative is to use port security for end hosts. Any help/advice would be greatly appreciated.
  Thanks

  If you are using open mode, you could put in a permit rule in the pre-auth acl on the switch port, that allows all traffic going to your scanners ip adress. Traffic from the scanner to the device on the switch port is not restricted normally.
   

• Why does Adobe Reader and Adobe Flash player keep installing McaFee Security Scan on my system?

  Whenever I install the Adobe Flash player or Adobe Reader on my system, it downloads and installs McAfee Security Scan Plus at the same time. It does not ask if I want it or not, it instead forces it on me, so I have to then unistall it. I've unistalled it 3 or 4 times in the last week. I DO NOT WANT MCAFEE PRODUCTS on my computer!
  Please make this an option, give the users a choice so we don't have to keep removing the stupid thing.

  Did you 'Uncheck" the relevant box pointed by the red arrow ? If not you accepted the installation with McAfee.

• What's listening on port 454 and 455 in Azure? Warning flagged by security scan

  We are about to go live with an Azure Website and, as a precaution, did a security scan on the IP address that has been allocated to us.
  There were a number of low severity warnings listed which we're not too worried about, however the scan did flag that something appears to be listening on port 454 and 455, and supports TLS1.0.
  RESULTS:
  Available non CBC cipher Server's choice SSL version
  RC4-SHA DES-CBC3-SHA TLSv1
  Does anyone know what this is? I can't find it obviously listed anywhere. If it's not necessary, can I switch it off? And if it is necessary, can I set it to require a more secure protocol?
  We're hosted in the "Australia East" datacentre, in case that's relevant.
  Crossposted to Stack Overflow here:
  http://stackoverflow.com/questions/27807505/whats-listening-on-port-454-and-455-in-azure-warning-flagged-by-security-scan

  Hello Michael,
  These ports are used for internal communication in Azure Websites infrastructure. They are not site specific and you cannot turn them off. It is safe to ignore them.
  Thanks,
  Petr

• McAfee Security Scan Plus and Flash Player installer

  Hi.
  I went to update Flash Player earlier today by downloading the web installer from the website, but by mistake didn't uncheck the option to install McAfee Security Scan Plus with Flash. However, after comparing the two files that are downloaded when the option is/isn't unchecked, I noticed that the MD5/CRC hashes for both files are exactly the same. I opened the file, and noticed that the installer was downloading both Security Scan Plus and Flash. I canceled the installation which was fine, but I have several questions.
  How does the installer know if the user wants to install Security Scan if both files are the same?
  Is Security Scan installed as soon as the download is complete (as shown in the installer), or only after Flash finisheds downloading as well?
  Thanks.

  Bundling other software in the installer is a sign of a DYING company. Now I have to do more work and uninstall this stuff. Yeah, you got me. "Angry" is not strong enough. -Foffu.

• ACE connection limit and remote TCP security scans

  We are currently running remote TCP security scans on our networks and are running into a major problem where when the scans are taking place the ACE connection resource usage sky rockets and easily reaches the maximum 4 million connections.  This means that anyone can run a simple TCP scan and take down our ACE by maxing the connection limit.  We have the following parameter-map applied to all of our policies but it does not help to clear the connection count on the ACE in a reasonable amount of time.  parameter-map type connection CONNECTION_TIMEOUT   set timeout inactivity 300   set tcp timeout half-closed 60  I should note that we do have normalization turned off because it causes way more problems then it's worth (no resolution with TAC).  Does anyone have an tips on how to accommodate security scan's on networks behind the ACE while not saturating the connection count limit?

  For vips, this particular context only has one class C applied to a class-map.  Not all IP's are in use but regardless the ACE creates connections for those as well.  I've set the timeout inactivity to 120 seconds and I still see connections from the remote scanning host idling well over 45mins for connections destined to the vip's.  Is turning on normalization my only option?  I know there are others who have turned off normalization due to performance and connectivity issues so there must be other ways around this.  Thanks for your help.

• When I downloaded Firefox for windows, the security scan wouldnt allow it. I operate on windows 7 and was downloading mozzila firefox8

  When I downloaded Firefox for windows, the security scan wouldnt allow it. I operate on windows 7 and was downloading mozzila firefox8

  Hi annarepublic78,
  As per the above mentioned error, your Win CS6 download was not complete, either it was in process or was interrupted. This is the only reason you see the MasterCollection_CS6_LS16.7z.crdownload. Here .crdownload means the download is in process.
  Please try to download it again on the Desktop and please make sure that the download completes successfully(without the .crdownload extension).
  Regards,
  Romit SInha

• SA540 FAILS PCIDSS security scan

  Hi
  We have recently installed an SA540 to replace an aging PIX firewall. The new firewall has failed a routine security scan for5 PCIDSS compliance. The problem appears to realate to the HTTPS service on the firewall which we need for SSL VPNs and remote management.
  The reasons provided are:-
  1. The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years .
  2. The remote service supports the use of weak SSL ciphers
  3. The remote service supports the use of medium strength SSL ciphers
  4. The remote service supports the use of anonymous SSL ciphers – presumably this can be fixed by purchasing an SSL certificate
  Can you disable SSL2.0 and the weaker ciphers?

  Hi Keith,
  Can you please let us know what firmware version on SA500 you are using?
  Thanks,
  Nitin

• Server 2008R2 - SSL Certificate Weak Public Key Strength

  Hello -
  I'm using a Windows 2008R2 server and am working on locking the system down. We use the BeyondTrust Retina Network Security Scanner, the scanner returns two results that I'm having trouble solving.
  The first is finding is:
  'SSL Certificate Weak Public Key Strength'
  "Retina has detected that the certificate on the target supports a  cryptographically weak public key strength. An attacker may be able to leverage weaknesses in the public key strength to gain access to sensitive information."
  "Replace the current certificate with one using a high-grade public key strength of 2048 bits of higher"
  **Does anyone have any ideas how to find all the certificates loaded on the machine that aren't at 2048 bits or higher, the system is a standalone machine without internet access**
  The second finding is:
  'SSL Certificate Self-Signed'
  "Retina has detected that the certificate on target is self-signed. Self-signed certificates can provide underlying cryptographic functionality, but cannot guarantee the origin of the certificate is trusted."
  "Verify the certificate is trusted to ensure the confidentiality and integrity of prior encrypted communications. Replace the current self-signed certificate with one signed by a trusted root certificate authority."
  **Anyone have any ideas how to find 'self-signed' certificates? I've tried searching through the certificates store on the local computer, but I can't seem to find a self-issued certificate, but Retina sure found some.**
  Any help would be greatly appreciated!!
  Thanks,
  Ryan

  A self signed certificate is a certificate which Subject attribute equals Issuer attribute. You can use below script to find selfsigned certificates which is selfsigned and public key is less than 2048 bits.
  Be aware that if you search in all possible certificate stores (including Trusted Root CA store) you will find a lot of self signed certificates. Please see my notes in powershell code.
  #Find self-signed certificate which keysize less than 2048. Uncomment one of the lines below
  #$myCerts = Get-Item Cert:\CurrentUser\My #search in Current User Store - Personal - this is the place to look in
  #$myCerts = Get-Item Cert:\LocalMachine\My #search in Local Machine Store - Personal - this is the place to look in
  #$myCerts = Get-Item Cert:\CurrentUser\* #search in Current User Store - this will bring a lot of cert list
  #$myCerts = Get-Item Cert:\LocalMachine\* #search in Local Machine Store - this will bring a lot of cert list
  $myCerts.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
  $myCertsList = Get-ChildItem $myCerts.PSPath
  $myCertsList | where {$_.Subject -like $_.Issuer -and $_.PublicKey.Key.KeySize -lt 2048} | select * #self-signed and less then 2048
  $myCerts.Close()
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Encryption Vulnerability Security SCAN DS

  I created DS instances. While running security scan for Encryption Vulnerability I found out that following ports are supporting weak SSL.
  port 636/tcp over SSL
  port 11163/tcp over SSL
  port 32772/tcp over SSL
  port 3999/tcp over SSL
  port 1636/tcp over SSL
  How to Disable ciphers which support cleartext communication. Or what is fix for this.
  Thanks
  Pramod

  Thanks Fede.
  I looked my dse.ldif file.
  It lloks like this ....
  dn: cn=encryption,cn=config
  objectClass: top
  objectClass: nsEncryptionConfig
  cn: encryption
  nsSSLSessionTimeout: 0
  nsSSLClientAuth: allowed
  nsSSLServerAuth: cert
  nsSSL2: off
  nsSSL3: on
  nsSSL3Ciphers: all
  nsKeyfile: alias/slapd-key3.db
  nsCertfile: alias/slapd-cert8.db
  numSubordinates: 1
  nsSSL2 is already off.
  Thanks
  Pramod