Vulnerabilities in SSL Ciphers Suites Discovered - WCS bug CSCsx53619

Similar Messages

• Weak SSL ciphers on Unity 5.0 server during a security scan

  Hello,
  We received informaition from our security team when they did a scan on our Unity server...."the remote host supports the use of SSL ciphers that offer weak encryption or no encryption at all"  I have found some articles on the web (Microsoft) to edit the registry key so that nothing lower than 128 bit encryption is accepted. I am looking for a Cisco paper to agree or disagree with this...can anyone help?
  Thank you.

  So, this isn't an uncommon security alert when you have your system scanned.  One thing to keep in mind is the placement of your server and who/what it is accessed for.  In any case, you're not likely to find a Cisco doc that references this specifically.  Instead, if you really want to move forward with making the appropriate registry changes then you'll want to open a TAC case and find out if this is supported or not.  In terms of further info on your issue:
  There is a McAfee article about making websites more secure.  It is here:  http://www.codeproject.com/KB/aspnet/MakeWebsiteMcAfeeSecured.aspx
  Your alert is referenced as follows:
  Vulnerability Name:  Weak Supported SSL Ciphers Suites
  Description
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. This vulnerability is valid for all SSL/TLS sessions that are passing sensitive information.
  PCI defines strong cryptography, for secret key based systems, as anything above 80 bit encryption.
  Solution
  The solution to this is very simple but requires registry tweak again. Following are the steps:
  Click Start, click Run, type regedt32 or type regedit, and then click OK.
  In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
                                \SCHANNEL\Ciphers
  Under the Cipher key, there are several Ciphers.
  Locate the ciphers which have encryption less than 128 bit.
  Create DWORD values named Enabled and Value 0 for each of them, just as the previous case.
  For convenience, I have marked them with red arrows in the picture above.
  System Restart is NOT required for this.
  Now the server is secured.
  The above mentioned security issues are the major ones that most of the systems have. However other than this, there may be some easy and minor vulnerabilities like:
  Using robots.txt in the pages. (Generally inserted by Web Marketing team to track user hit).
  Directory Scanner: Common directories are revealed. This can be resolved by URL rewriting and setting “Directory Browsing” off.
  Note: For the above vulnerabilities, minor registry tweaks will be necessary. So it is strongly recommended to back up the registry before doing anything. By any chance if something gets messed up, just delete the SCHANNEL key and restart the machine, the key will be auto-generated.
  Hailey
  Please rate helpful posts!

• Securing DSEE - configuring CACAO SSL ciphers?

  Is there -any- possible way to set the SSL cipher suites that cacao uses? I've tried nearly everything I can think of, and no matter what it does not make a difference.
  I've already managed to get the actual LDAP SSL port running on high strength ciphers, the Java webconsole (port 6789) on high strength ciphers.. the only thing left is cacao on ports 11163, and 11164 (commandstream and the RMI registry)
  Anyone?

  Just an update, opened a ticket and got this response.
  <quote>
  Cacao uses the default set of ciphers offered by the Java Virtual Machine for TLSv3, as per the standard, which means that it supports a list of ciphers, the weakest of which is DES which is what triggers the scanner's alert.
  Whilst it therefore supports the weaker encryption for clients that specifically request it, the Java client libraries also use the same set of ciphers offered by the Java Virtual Machine, TLSv3 negotiation always choses the strongest cipher suite, and so this supported cipher is not used.
  As such, there will never be any communication performed by the product using the weaker cipher suites, and this can be considered a 'false positive' in the automated detection of "supported" cipher suites - supported, yes -but used - no.
  I hope that this can help explain why the automated scanner - which is deliberately trying to establish a connection with the DES cipher to see if it can - is reporting the false positive.
  </quote>
  Hope this helps others!

• Remote host supports the use of SSL ciphers that offer weak encryption

  Dear All,
  Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
  We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
  as mentioned in the point 6 we have added below parameter in the instance profile of application server  and restarted our server but still the issue is not resoved.
  ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
  Clients are accessing our PI server through SAP Web dispatcher.
  Kindly suggest the action to be taken to resolve the issue.
  Please find the below comment from Audit.
  The remote host supports the use of SSL ciphers that offer weak encryption.
  Note: This is considerably easier to exploit if the attacker is on the same physical network
  Regards,
  Lalitha.

  Hi Jim,
  The remote host is the PI(7.0) server.
  PI server profile
  FN_JSTART = jcontrol$(FT_EXE)
  ssl/ciphersuites = HIGH:MEDIUM:!mMD5
  jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
  cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
  login/accept_sso2_ticket = 1
  SAPSYSTEMNAME = APQ
  SAPSYSTEM = 00
  INSTANCE_NAME = DVEBMGS00
  DIR_CT_RUN = $(DIR_EXE_ROOT)/run
  DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
  jstartup/trimming_properties = off
  jstartup/protocol = on
  jstartup/vm/home = /opt/IBMJava2-amd64-142
  jstartup/max_caches = 500
  jstartup/release = 700
  jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
  j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
  PHYS_MEMSIZE = 512
  exe/saposcol = $(DIR_CT_RUN)/saposcol
  rdisp/wp_no_dia = 10
  rdisp/wp_no_btc = 3
  exe/icmbnd = $(DIR_CT_RUN)/icmbnd
  rdisp/j2ee_start_control = 1
  rdisp/j2ee_start = 1
  rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
  exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
  rdisp/j2ee_timeout = 1800
  rdisp/frfc_fallback = on
  icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
  icm/server_port_0 = PROT=HTTP,PORT=80$$
  # SAP Messaging Service parameters are set in the DEFAULT.PFL
  ms/server_port_0 = PROT=HTTP,PORT=81$$
  rdisp/wp_no_enq = 1
  rdisp/wp_no_vb = 1
  rdisp/wp_no_vb2 = 1
  rdisp/wp_no_spo = 1
  # Jcontrol: Migrated Profile Parameter
  #      create at Wed Mar 25 20:20:02 2009
  j2ee/instance_id = ID0079698
  Web dispatcher profile
  SAPSYSTEMNAME = WD0
  SAPSYSTEM = 00
  INSTANCE_NAME = W00
  DIR_CT_RUN = $(DIR_EXE_ROOT)/run
  DIR_EXECUTABLE = $(DIR_CT_RUN)
  wdisp/shm_attach_mode = 6
  # Accesssability of Message Server
  #rdisp/mshost = asapq00.b.com
  #ms/http_port = 8100
  #ms/https_port = 8101
  wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
  # Configuration for medium scenario
  icm/max_conn               = 16350
  icm/max_sockets            = 32768
  wdisp/HTTPS/max_pooled_con = 16350
  icm/req_queue_len          = 8000
  icm/min_threads            = 100
  icm/max_threads            = 500
  mpi/total_size_MB          = 700
  mpi/buffer_size            = 32768
  mpi/max_pipes              = 21000
  wdisp/HTTP/max_pooled_con  = 8192
  wdisp/HTTPS/max_pooled_con = 8192
  # SAP Web Dispatcher Ports
  icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
  icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
  #icm/host_name_full= asapq00.b.com
  icm/host_name_full= qtyh2h.k.co.in
  icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
  ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
  wdisp/HTTPS/dest_logon_group = PUBLIC
  wdisp/HTTPS/max_client_ip_entries = 100000
  wdisp/HTTPS/sticky_mask = 255.255.255.0
  #Additional Parameters
  wdisp/add_client_protocol_header = true
  wdisp/auto_refresh = 120
  wdisp/max_servers = 100
  wdisp/handle_webdisp_ap_header = 1
  #Registering SAP Web Dispatcher in the SLD
  #wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
  #Parameter to avoid week SSL ciphers
  ssl/ciphersuites=HIGH:MEDIUM:!mMD5
  Regards,
  Lalitha

• How to add a Cipher Suite using RSA 1024 algorithm to the 'SSL Cipher Suite Order' GPO

  Following a VA test the Default Domain GPO has been set to enable the SSL Cipher Suite Order.  Following the change Symantec Endpoint Protection Manager doesn't work properly as the the Home, Monitors and Reports pages are blank and an Schannel error is
  logged in the SEPM server's event log.
  I have spoken to Symantec and I have been told that we need to allow the RSA 1024 bit algorithm but they can't tell me which cipher suite this would be.  I have looked in the GPO setting and can't see an RSA 1024 suite but have found some in this article:
  http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
  I want to know how to add an additional cipher suite into the setting safely.  Am I able to just add the suite into the GPO setting (eg TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) or do I need to do anything else beforehand?
  If anyone has any advice regarding this or cipher suite orders and troubleshooting SSL problems it would be much appreciated,
  Thanks
  Chris

  Hi Chris,
  Based on my research, RSA_EXPORT1024_DES_CBC_SHA is a previous cipher suite, which is supported, you can enable it use
  SSL Cipher Suite Order policy setting under Administrative Templates\Network\SSL Configuration Settings.
  More information for you:
  TLS/SSL Cryptographic Enhancements
  http://technet.microsoft.com/en-us/library/cc766285(v=WS.10).aspx
  Best Regards,
  Amy

• SSL cipher suites with v3

  Any way to adjust which SSL cipher suites are used with the messaging agent on version 3 of messenger? There are a few that are not compatible with our firewall and we need to disable them. It's keeping iOS clients from connecting.

  Palo Alto Networks firewall. We enforce SSL decryption on all traffic and any suite that uses Diffie-Hellman key exchange isn't supported. Has to be RSA key exchange.
  Originally Posted by ahidalgo
  Which SSL cipher suites are not compatible with your firewall, just curious. Whose firewall are you using?
  Al
  On 2/27/2015 at 9:26 PM, jarrodholder<[email protected]> wrote:
  Any way to adjust which SSL cipher suites are used with the messaging
  agent on version 3 of messenger? There are a few that are not
  compatible with our firewall and we need to disable them. It's keeping
  iOS clients from connecting.
  jarrodholder
  jarrodholder's Profile: https://forums.novell.com/member.php?userid=1616
  View this thread: https://forums.novell.com/showthread.php?t=482111

• How To Restrict SSL Ciphers for iCal and Address Book

  Does anyone know how to set the allowed SSL ciphers for the Address Book and iCal services on Snow Leopard Server?

  Hi,
  There's a dedicated forum for Server customers.
  Good luck,
  S.

• SSL ciphers and algorithms

  Hello experts,
  I have a fundamental SSL question - what I want to know is whether the ciphers and algorithms mentioned in certificates are used in SSL communication or not ? For example, in a sample certifcate, I can see Signature Algo=sha1RSA, Signature hash=SHA1, public key=RSA Encryption etc. I want to know whether any of these ciphers/algos are used while establishing the SSL connection. At what stage, which one of these from the certificate is used ? Or is it that the SSL negotiation does not involve these algos and only selects from what the platform supports.

  For example, in a sample certifcate, I can see Signature Algo=sha1RSA, Signature hash=SHA1, public key=RSA Encryption etc. I want to know whether any of these ciphers/algos are used while establishing the SSL connection.The certificate's own signature is checked on receipt, and the server sends another digital signature signed with its own private key which is also verified by the client, which proves that the server really owns that certificate. After that, the two sides negotiate a symmetric session key. Under some cipher suites that negotation can also involve the server certificate. Once the session key is established the certificates and their algorithms and keytypes play no further role.
  As it says in RFC 2246.

• How to locate and configure SSL cipher suites

  hi all,
  i wanted to knw how Ciphersuites that are used in SSL Connections are picked up by the JVM or whoever is responsible for establishing the connection at lower level. I mean there are methods in SSLSocketFactory, HttpsURLConnection named getEnabledCipherSuites(). I was just wondering where these default cipher suites are picked up. Is there any configuration file or some setting where we can add our own cipher suite to the list?
  Please advice.
  Thanks in advance :)
  Arun

  hi,
  As already we have discussed this, we can set the ciphersuite used in the SSLConnection using SSLSocket.setEnabledCIpherSuite() function only. And getSupportedCipherSuites() function returns the list of cipher suites that are supported by the connection.
  But i want to set ciphersuite in SSLConnection using HttpsURLConnection. Under this class (HttpsURLConnection) there is no such method where u can specify the ciphersuite.
  So i am trying to find out when an SSL connection is setup from where does the JVM loads the cipher suites? I checked the All the basic classes in javax.net.ssl package and all contain the methods as abstract. So if anybody has any idea regarding where these supported cipher suites are located in jdk please let me knw.
  Thanks in advance :)
  Arun

• WCS: Bug with unique client report?

  I'm running WCS 7.0.172.0 and have run into the situation where a Unique Client Report, when run for the last day, shows lots of clients (properly).  When you select a specific date range, you get no records, regardless of the date range (you can even select the last 24 hours with the drop-downs).  Is this a bug?

  I've gone back and forth with TAC on this, and it's been explained to me that the function of the report has changed recently and the description for what it does is no longer valid.  I STILL think there is a bug in this, however, as it appears whenever I run this report, it only shows me the unique clients RIGHT NOW, even if I pick "last day" which I'm told is really the only valid criterion... something is definitely broken here.

• How to change SSL ciphers on Oracle 9i?

  Setup - Windows 2003, Oracle 9.2.0.8 with Apache 1.3
  Vulnerability scan detected weak ciphers and MD5 SSL certificate installed on the server. After a looking around the server, the MD5 SSL certificate is Oracle Demo CA that gets installed in the ORACLE_HOME\Apache\conf\ssl.crt. This certificate is being used by the Oracle HTTP server. I need two things -
  - Disable SSL 2.0 and enable SSL 3.0/TLS 1.0 on Oracle Apache HTTP server
  - Delete the ssl.cert with MD5 and reissue with a stronger hashing method like SHA-256, SHA-512.

  Hi,
  I am aware about the option of change the current schema with current_schema settings but never heard that one can change teh database too.Some options that striked immediately are
  1) Connect with the same user to the other database with a different TNSnames entry.
  2) Stay in the database and use Db links to connect to the other database.
  Sorry never heard of this thing myself.
  Aman....

• SSL Ciphers

  Hi, I'm moving an application from Apache/CGI to WebLogic 9.2. I need to restrict the protocol and set of ciphers used by the server. That is no null ciphers, no exported ciphers, etc., only high ciphers: In Apache, I can do something similar to the following:
  SSLProtocol –ALL SSLv3 TLSv1
  SSLCipherSuite –ALL:AES256-SHA:AES128-SHA:DES-CBC3-SHA
  How can do the same in WebLogic 9.2?
  When I use the ciphersuite element of the config.xml file via the SSL element, the server doesn't load, and it complains that I should use inbound/outbound validation certificates. When I specify weblogic.security.SSL.allowUnencryptedNullCipher=false, the log records that 23 default ciphersuites have been loaded. How can I control what the server loads? Thanks for any help.

  It appears the method for configuring has changed:
  Prior to 9.x
  <server>
  <name>MyServer</name>
  <ssl>
  <name>MyServer</name>
  <enabled>true</enabled>
  *<ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>*
  *<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>*
  *<ciphersuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>* ...
  </ssl>
  </server>

• I discovered a Bug on IOS 7 Calendar. All iPhones I've tested has it.

  How can I report a Bug from iPhones IOS 7.0.3 Calendar?
  I need to say all details right?

  Alright. Thanks.
  Can you test right now, just to be sure?
  Go to your Calendar, see the months view. today is October 28. Monday. (till there is alright) But tap the Day 28th, to view the Hours appointments on the day. *from nowhere, the Mondays 28th, turns Thuesdays* ..
  does this happens in yours too?

• I've discovered some bugs in WLM 12

  I have observed some bugs in Windows Live Mail 12.  Where may I post them?

  You're welcome. To expedite the verification you can also post the request to the end of this thread.
  Verify Your Account 17
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• I found anti-phishing on our two PCs with Firefox (now 31) was NOT turned on by default, (I did not turn it off). Discovered this bug after a phishing attack.

  Hi
  I posted this more as an FYI. I'm using Firefox 31 on two PCs. and had a phishing incident today. I read your article on Firefox's ant-phishing / anti-malware protection, and using the two test pages you provided I found the phishing test page wasn't blocked. I followed your instructions and successfully activated it. For whatever reason on my two PCs (one is Windows 8.1 Update 1 and the other an ancient XP machine) only the anti-malware was running. Both computers were updated to version 31 in the last few days. I don't know if the failure to have anti-phishing turned on by default is a bug in this version, or was a setting copied from an earlier version of Firefox. I had never changed those security settings myself on any version of Firefox.

  It's more likely this setting was carried over from an earlier version of Firefox. Some people disable one type of protection in favor of the other. Or disable the malware & phishing protection when troubleshooting other issues. Like to reach sites that Google says are bad but really are false positives.
  You may have forgotten fooling with that setting or unchecked it by accident. For example, go back to the Security section in the Options. Move your mouse all the way over to the right underneath the "Exceptions" button and click your mouse along that area for each setting. You see how easily they could be changed by a misclick?
  But since you say this happened on 2 computers, I'll ask a few people to test this out and see what happens.
  You also said you had a anti-phishing incident? Could you elaborate a little more on that. I'm guessing you were in your email and opened a email you thought to be legitimate?
  You'd only have been safe in that case if Google's database had been updated with info to block that exact phishing attack. Did you try revisiting the actual phishing attack after activating the protection? I'm curious to know if it was blocked.