HPE Community
Server Management - Systems Insight Manager
1821063 Members
2588 Online
109631 Solutions
New Discussion юеВ

HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

 
DK79
Visitor

тАО11-01-2013 07:02 AM

тАО11-01-2013 07:02 AM

HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi all,

we have had a security test passed against our servers and got back result on some HP DL380 servers that they have the SSL Server Allows Anonymous Authentication Vulnerability issue on port 2381. We have found the only SSL capable application on port 2381 is the HP System Management Homepage. Does anyone of you have any idea how to fix this issue and what is the root cause? The version of HP System Management Homepage is 7.2.0.14 and there is an update to version 7.2.1.13. I want to  ask before I proceed with the update to get know if the update fix this or it is just configuration issue. Thanks for any reply.

0 Kudos
Reply
11 REPLIES 11
SDL-Admin
Occasional Visitor

тАО03-21-2014 05:58 AM

тАО03-21-2014 05:58 AM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

The same for us ;-(

 

We have been informed by our information security team that our servers are failing scans due to "SSL Server Allows Anonymous Authentication Vulnerability".

 

Following additional information is provided:

 

Diagnosis:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack."

 

Solution: Disable support for anonymous authentication.

 

For Apache:

   Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

   SSLProtocol -ALL +SSLv3 +TLSv1

   SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

   SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

I am running SMH 7.3.0.9 (Win64) OpenSSL/1.0.1e PHP/5.5.2

 

Has anyone else run into this?

We would Appreciate any help!

 

Thanks,

SDL-Admin

0 Kudos
Reply
DK79
Visitor

тАО03-24-2014 01:27 AM

тАО03-24-2014 01:27 AM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi,

 

we have already found a solution for this issue running the SMH on Windows. The think is to allow only SSL ciphers that does not allow anonymous key exchange. It is the тАЬRC4тАЭ cipher for example.  You can read more about this in HP SMH documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02779581-2.pdf

 

Our steps to get rid of this issue was following:

 

1) navigate to installation directory of HP SMH. Default is C:\hp\hpsmh\bin on Windows
2) Modify the SSL cipher suite by running command "smhconfig.exe -Z 'RC4-SHA'"
3) Restart the HP WEB server by running command "smhconfig.exe -r"

 

hope that helps

 

David

 

0 Kudos
Reply
SDL-Admin
Occasional Visitor

тАО03-25-2014 11:39 PM

тАО03-25-2014 11:39 PM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi David,

 

Thanks for your explanation. Your three steps solved our vulnerability problem with HP SMH ;-)

 

BR,

0 Kudos
Reply
Rachamadagu
New Member

тАО03-27-2014 11:19 AM

тАО03-27-2014 11:19 AM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Qualys triggered SSL Server Allows Anonymous Authentication Vulnerability on 2381 port (QID- 38142) on Linux RHEL-5.9 server.  I see latest hpsmh version (Version:7.3.1-4 (18 Feb 2014) for Linux on HP website but I don't see this vulnerability fix is part of this package (no info on Release notes/Enhancement tab). Can you let me know before I upgrade hpsmh package to 7.3.1-4?

0 Kudos
Reply
sungminjin
Occasional Advisor

тАО04-11-2014 01:03 PM

тАО04-11-2014 01:03 PM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

david..

do I need to log into each of my servers that has the hp system management homepage ? and run your 3 steps ? or is this only done on my HP SIM server ?

 

 

Thanks.

0 Kudos
Reply
DK79
Visitor

тАО04-13-2014 10:33 AM

тАО04-13-2014 10:33 AM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi, you have to run this on every server running HP System Management Homepage. You can use tool like PSExec to do the job if your environment is same or run more complex script if not.

0 Kudos
Reply
Srinivas0781
Occasional Visitor

тАО05-14-2015 03:07 AM - last edited on тАО05-18-2015 07:58 PM by

тАО05-14-2015 03:07 AM - last edited on тАО05-18-2015 07:58 PM by

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hello All, How do I disable "SSL Certificate Self-Signed - TCP:2381" Vulnerability? I need to fix this on few HP servers. The Current HP SHM is 7.4.1.6. Please advise.

 

Regards,

Srinivas.K

 

0 Kudos
Reply
John Coen
Occasional Contributor

тАО06-23-2015 07:52 AM

тАО06-23-2015 07:52 AM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

David,

 

Are you just enabling RC4 in your command, when I tried it it wouldn't accept RC4-SHA, what is the SHA?

 

I have read somewhere that RC4 isn't recommended so I am unclear as to what you are doing in this command line, clarification would be appreciated thanks as I am also trying to find a fix for 'Open SSL 'ChangeCipher Spec' MiTM Vulnerability

 

John

0 Kudos
Reply
station11
New Member

тАО09-11-2015 03:54 PM

тАО09-11-2015 03:54 PM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Plugin Plugin Name Family Severity IP Address Protocol Port NetBIOS Name

78479 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) General High 123.45.67.89 TCP 2381 servernamexxx

 

I recieved the above in my Tenable Nexus scan and the fix listed above help resolve the issue. I re-scan and the vulnerabilty after the fix and the vulnerabilty was gone.

 

Only change in the three steps above is that I ran smhconfig.exe -Z RC4-SHA  without quotes around RC4-SHA (quote caused it to error out)

 

HTH anyone else.

0 Kudos
Reply
BastianW
Advisor

тАО10-12-2015 01:42 AM

тАО10-12-2015 01:42 AM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Isn┬┤t RC4 weak? I read a posting here, that this is the case. So a better solution might be to disable RC4 as well and leave only the "secure cipher" in place. I found here a short how to which worked for me. Maybe somebody else will find that usefull as well.

0 Kudos
Reply
Richie55
Occasional Visitor

тАО11-25-2020 06:30 PM

тАО11-25-2020 06:30 PM

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Try; " smhconfig.exe -Z AES256-SHA" instead of RC4-SHA as it is more secure.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.