topic Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue in Server Management - Systems Insight Manager

HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

DK79 — Fri, 01 Nov 2013 14:02:11 GMT

Hi all,

we have had a security test passed against our servers and got back result on some HP DL380 servers that they have the SSL Server Allows Anonymous Authentication Vulnerability issue on port 2381. We have found the only SSL capable application on port 2381 is the HP System Management Homepage. Does anyone of you have any idea how to fix this issue and what is the root cause? The version of HP System Management Homepage is 7.2.0.14 and there is an update to version 7.2.1.13. I want to ask before I proceed with the update to get know if the update fix this or it is just configuration issue. Thanks for any reply.

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

SDL-Admin — Fri, 21 Mar 2014 12:58:28 GMT

The same for us ;-(

We have been informed by our information security team that our servers are failing scans due to "SSL Server Allows Anonymous Authentication Vulnerability".

Following additional information is provided:

Diagnosis:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack."

Solution: Disable support for anonymous authentication.

For Apache:

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

I am running SMH 7.3.0.9 (Win64) OpenSSL/1.0.1e PHP/5.5.2

Has anyone else run into this?

We would Appreciate any help!

Thanks,

SDL-Admin

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

DK79 — Mon, 24 Mar 2014 08:27:30 GMT

Hi,

we have already found a solution for this issue running the SMH on Windows. The think is to allow only SSL ciphers that does not allow anonymous key exchange. It is the “RC4” cipher for example. You can read more about this in HP SMH documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02779581-2.pdf

Our steps to get rid of this issue was following:

1) navigate to installation directory of HP SMH. Default is C:\hp\hpsmh\bin on Windows
2) Modify the SSL cipher suite by running command "smhconfig.exe -Z 'RC4-SHA'"
3) Restart the HP WEB server by running command "smhconfig.exe -r"

hope that helps

David

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

SDL-Admin — Wed, 26 Mar 2014 06:39:20 GMT

Hi David,

Thanks for your explanation. Your three steps solved our vulnerability problem with HP SMH ;-)

BR,

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Rachamadagu — Thu, 27 Mar 2014 18:19:16 GMT

Qualys triggered SSL Server Allows Anonymous Authentication Vulnerability on 2381 port (QID- 38142) on Linux RHEL-5.9 server. I see latest hpsmh version (Version:7.3.1-4 (18 Feb 2014) for Linux on HP website but I don't see this vulnerability fix is part of this package (no info on Release notes/Enhancement tab). Can you let me know before I upgrade hpsmh package to 7.3.1-4?

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

sungminjin — Fri, 11 Apr 2014 20:03:15 GMT

david..

do I need to log into each of my servers that has the hp system management homepage ? and run your 3 steps ? or is this only done on my HP SIM server ?

Thanks.

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

DK79 — Sun, 13 Apr 2014 17:33:40 GMT

Hi, you have to run this on every server running HP System Management Homepage. You can use tool like PSExec to do the job if your environment is same or run more complex script if not.

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Srinivas0781 — Tue, 19 May 2015 02:58:37 GMT

Hello All, How do I disable "SSL Certificate Self-Signed - TCP:2381" Vulnerability? I need to fix this on few HP servers. The Current HP SHM is 7.4.1.6. Please advise.

Regards,

Srinivas.K

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

John Coen — Tue, 23 Jun 2015 14:52:53 GMT

David,

Are you just enabling RC4 in your command, when I tried it it wouldn't accept RC4-SHA, what is the SHA?

I have read somewhere that RC4 isn't recommended so I am unclear as to what you are doing in this command line, clarification would be appreciated thanks as I am also trying to find a fix for 'Open SSL 'ChangeCipher Spec' MiTM Vulnerability

John

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

station11 — Fri, 11 Sep 2015 22:54:12 GMT

Plugin Plugin Name Family Severity IP Address Protocol Port NetBIOS Name

78479 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) General High 123.45.67.89 TCP 2381 servernamexxx

I recieved the above in my Tenable Nexus scan and the fix listed above help resolve the issue. I re-scan and the vulnerabilty after the fix and the vulnerabilty was gone.

Only change in the three steps above is that I ran smhconfig.exe -Z RC4-SHA without quotes around RC4-SHA (quote caused it to error out)

HTH anyone else.

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

BastianW — Mon, 12 Oct 2015 08:42:02 GMT

Isn´t RC4 weak? I read a posting here, that this is the case. So a better solution might be to disable RC4 as well and leave only the "secure cipher" in place. I found here a short how to which worked for me. Maybe somebody else will find that usefull as well.

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Richie55 — Thu, 26 Nov 2020 02:30:28 GMT

Try; " smhconfig.exe -Z AES256-SHA" instead of RC4-SHA as it is more secure.