HPE Community
Server Management - Systems Insight Manager
1822007 Members
4112 Online
109639 Solutions
New Discussion юеВ

Re: SSL Weak Encryption Question - HP Management Agents

 
Chris Michalek
Occasional Advisor

тАО11-03-2004 03:27 AM

тАО11-03-2004 03:27 AM

SSL Weak Encryption Question - HP Management Agents

Our security vulnerability scanning device has detected the following vulnerability on all of our servers with the HP Management Web Agents - over 600 thus far. This is found on the apache backend of the management agents on port 2381. Any ideas how to fix? Thanks much for your ideas and recommendations in advance. Assume the servers all have agents v7.10a.

SSL Server uses weak encryption vulnerability:

THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
SSL encryption ciphers are classified based on the encryption key length as follows:

HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security. SSL servers support a LOW grade cipher even though the client supports stronger ciphers.

IMPACT:
An attacker can exploit this vulnerability to decrypt secure communications without authorization.

SOLUTION:
Disable support for LOW encryption ciphers.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol: -ALL +SSLv3 +TLSv1
SSLCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

RESULT:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE

SSLv2 SELECTED THE FOLLOWING WEAK CIPHER
EXP-RC2-CBC-MD5 RSA(512) RSA MD5 RC2(40) LOW

SSLv3 SELECTED THE FOLLOWING WEAK CIPHER
EXP1024-RC4-SHA RSA(1024) RSA SHA1 RC4(56) LOW

TLSv1 SELECTED THE FOLLOWING WEAK CIPHER
EXP1024-RC4-SHA RSA(1024) RSA SHA1 RC4(56) LOW
0 Kudos
Reply
4 REPLIES 4
David Claypool
Honored Contributor

тАО11-03-2004 03:54 AM

тАО11-03-2004 03:54 AM

Re: SSL Weak Encryption Question - HP Management Agents

If your scanning software is identifying the agents as being hosted in Apache, this is in error.
0 Kudos
Reply
Chris Michalek
Occasional Advisor

тАО11-03-2004 08:45 AM

тАО11-03-2004 08:45 AM

Re: SSL Weak Encryption Question - HP Management Agents

You are correct - I jumped the gun in assuming the backend was Apache. The vulnerability certainly is the web agent as it exists on port 2381. Any insight would be much appreciated, and I certainly already do appreciate your quick response.
0 Kudos
Reply
charles francis
New Member

тАО11-16-2004 05:27 AM

тАО11-16-2004 05:27 AM

Re: SSL Weak Encryption Question - HP Management Agents

we are seeing this same issue on 200+ servers now. Has anyone found a solution to this other than uninstalling?
0 Kudos
Reply
Chris Michalek
Occasional Advisor

тАО11-16-2004 07:04 AM

тАО11-16-2004 07:04 AM

Re: SSL Weak Encryption Question - HP Management Agents

Worked through our HP rep. Response is summed as follows:

Putting all of this to rest will be version 7.2 of the Insight Agents, due out in February 2005. It will support 128-bit SSL encryption only, removing 56-bit SSL encryption completely.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.