Server Management - Systems Insight Manager
1748169 Members
4150 Online
108758 Solutions
New Discussion юеВ

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

 
DK79
Visitor

HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi all,

we have had a security test passed against our servers and got back result on some HP DL380 servers that they have the SSL Server Allows Anonymous Authentication Vulnerability issue on port 2381. We have found the only SSL capable application on port 2381 is the HP System Management Homepage. Does anyone of you have any idea how to fix this issue and what is the root cause? The version of HP System Management Homepage is 7.2.0.14 and there is an update to version 7.2.1.13. I want to  ask before I proceed with the update to get know if the update fix this or it is just configuration issue. Thanks for any reply.

11 REPLIES 11
SDL-Admin
Occasional Visitor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

The same for us ;-(

 

We have been informed by our information security team that our servers are failing scans due to "SSL Server Allows Anonymous Authentication Vulnerability".

 

Following additional information is provided:

 

Diagnosis:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack."

 

Solution: Disable support for anonymous authentication.

 

For Apache:

   Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

   SSLProtocol -ALL +SSLv3 +TLSv1

   SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

   SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

I am running SMH 7.3.0.9 (Win64) OpenSSL/1.0.1e PHP/5.5.2

 

Has anyone else run into this?

We would Appreciate any help!

 

Thanks,

SDL-Admin

DK79
Visitor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi,

 

we have already found a solution for this issue running the SMH on Windows. The think is to allow only SSL ciphers that does not allow anonymous key exchange. It is the тАЬRC4тАЭ cipher for example.  You can read more about this in HP SMH documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02779581-2.pdf

 

Our steps to get rid of this issue was following:

 

1) navigate to installation directory of HP SMH. Default is C:\hp\hpsmh\bin on Windows
2) Modify the SSL cipher suite by running command "smhconfig.exe -Z 'RC4-SHA'"
3) Restart the HP WEB server by running command "smhconfig.exe -r"

 

hope that helps

 

David

 

SDL-Admin
Occasional Visitor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi David,

 

Thanks for your explanation. Your three steps solved our vulnerability problem with HP SMH ;-)

 

BR,

Rachamadagu
New Member

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Qualys triggered SSL Server Allows Anonymous Authentication Vulnerability on 2381 port (QID- 38142) on Linux RHEL-5.9 server.  I see latest hpsmh version (Version:7.3.1-4 (18 Feb 2014) for Linux on HP website but I don't see this vulnerability fix is part of this package (no info on Release notes/Enhancement tab). Can you let me know before I upgrade hpsmh package to 7.3.1-4?

sungminjin
Occasional Advisor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

david..

do I need to log into each of my servers that has the hp system management homepage ? and run your 3 steps ? or is this only done on my HP SIM server ?

 

 

Thanks.

DK79
Visitor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi, you have to run this on every server running HP System Management Homepage. You can use tool like PSExec to do the job if your environment is same or run more complex script if not.

Srinivas0781
Occasional Visitor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hello All, How do I disable "SSL Certificate Self-Signed - TCP:2381" Vulnerability? I need to fix this on few HP servers. The Current HP SHM is 7.4.1.6. Please advise.

 

Regards,

Srinivas.K

 

John Coen
Occasional Contributor

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

David,

 

Are you just enabling RC4 in your command, when I tried it it wouldn't accept RC4-SHA, what is the SHA?

 

I have read somewhere that RC4 isn't recommended so I am unclear as to what you are doing in this command line, clarification would be appreciated thanks as I am also trying to find a fix for 'Open SSL 'ChangeCipher Spec' MiTM Vulnerability

 

John

station11
New Member

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Plugin Plugin Name Family Severity IP Address Protocol Port NetBIOS Name

78479 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) General High 123.45.67.89 TCP 2381 servernamexxx

 

I recieved the above in my Tenable Nexus scan and the fix listed above help resolve the issue. I re-scan and the vulnerabilty after the fix and the vulnerabilty was gone.

 

Only change in the three steps above is that I ran smhconfig.exe -Z RC4-SHA  without quotes around RC4-SHA (quote caused it to error out)

 

HTH anyone else.