topic Re: SSL Weak Encryption Question - HP Management Agents in Server Management - Systems Insight Manager

SSL Weak Encryption Question - HP Management Agents

Chris Michalek — Wed, 03 Nov 2004 11:27:31 GMT

Our security vulnerability scanning device has detected the following vulnerability on all of our servers with the HP Management Web Agents - over 600 thus far. This is found on the apache backend of the management agents on port 2381. Any ideas how to fix? Thanks much for your ideas and recommendations in advance. Assume the servers all have agents v7.10a.

SSL Server uses weak encryption vulnerability:

THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
SSL encryption ciphers are classified based on the encryption key length as follows:

HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security. SSL servers support a LOW grade cipher even though the client supports stronger ciphers.

IMPACT:
An attacker can exploit this vulnerability to decrypt secure communications without authorization.

SOLUTION:
Disable support for LOW encryption ciphers.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol: -ALL +SSLv3 +TLSv1
SSLCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

RESULT:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE

SSLv2 SELECTED THE FOLLOWING WEAK CIPHER
EXP-RC2-CBC-MD5 RSA(512) RSA MD5 RC2(40) LOW

SSLv3 SELECTED THE FOLLOWING WEAK CIPHER
EXP1024-RC4-SHA RSA(1024) RSA SHA1 RC4(56) LOW

TLSv1 SELECTED THE FOLLOWING WEAK CIPHER
EXP1024-RC4-SHA RSA(1024) RSA SHA1 RC4(56) LOW

Re: SSL Weak Encryption Question - HP Management Agents

David Claypool — Wed, 03 Nov 2004 11:54:30 GMT

If your scanning software is identifying the agents as being hosted in Apache, this is in error.

Re: SSL Weak Encryption Question - HP Management Agents

Chris Michalek — Wed, 03 Nov 2004 16:45:08 GMT

You are correct - I jumped the gun in assuming the backend was Apache. The vulnerability certainly is the web agent as it exists on port 2381. Any insight would be much appreciated, and I certainly already do appreciate your quick response.

Re: SSL Weak Encryption Question - HP Management Agents

charles francis — Tue, 16 Nov 2004 13:27:07 GMT

we are seeing this same issue on 200+ servers now. Has anyone found a solution to this other than uninstalling?

Re: SSL Weak Encryption Question - HP Management Agents

Chris Michalek — Tue, 16 Nov 2004 15:04:37 GMT

Worked through our HP rep. Response is summed as follows:

Putting all of this to rest will be version 7.2 of the Insight Agents, due out in February 2005. It will support 128-bit SSL encryption only, removing 56-bit SSL encryption completely.