This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Weak Cipher and unknown CA

I’’’’ve ran a network vulnerability tool (NESSUS) and it reported SSL vulnerabilities with weak encryption and an unknown CA. I’’’’ve narrowed it down to Sophos RMS on port 8194 but my question is how do you update the certification manager and where does the certification manager receive its certificates and what certificates do they issue.

I am running Sophos Anti-Virus (Version 9.5.4) from Enterprise Console 4.5.1.0

Also i have my own CA Server, if i can use this to generate a pem please let me know where i need to place it i think it is on the enterprise management server but not sure where.

regards,

Steve Hall

This thread was automatically locked due to age.

0 jak over 14 years ago

HI,

The file cac.pem is the generated certificate of the Certification Manager in the system. If you make a copy of this file and call it cac.crt for example you can view it as a certificate file to study its properties. I don't imagine you can use your own certificate and I doubt it would be supported if you did. I've noticed that at install there is a exe which creates it and adds it to the registry on the SEC server (\certauthstore\), you would need some way of injecting your file into that process, so it's not really viable. It's easy to switch your certificate for the ones in the distribution points but you would need to get your certificate into the certauthstore on the server also which isn't really possible

Would you be able to list more details as to what Nessus exactly reports?

I believe that the strength of the encryption is different for the routernt.exe talking with the routernt.exe process (i.e. across the network) but for speed, the encryption is lower where the local management agent talks to the local router. So it could be a trade off between security and performance in the various parts of the system.

Jak
:8087
Cancel
Vote Up 0 Vote Down

Cancel

0 M_Bivens over 14 years ago

We are actually experiencing the same issue on 2 of our servers. This is what the NESSUS scan concerning that problem.

This was pulled of port 1075,8192, and 8194. I also ran a scan with Nmap and it showed that 1075 and 8194 both supported SSLv2.

Hope this is helpful.

SSL Certificate Signed using Weak Hashing Algorithm

Synopsis:
The SSL certificate has been signed using a weak hash algorithm.

Description:
The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service.

Risk factor:
Medium

CVSS Base Score:4.0
CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

See also:
http://tools.ietf.org/html/rfc3279

See also:
http://www.phreedom.org/research/rogue-ca/

See also:
http://www.microsoft.com/technet/security/advisory/961509.mspx

See also:
http://www.kb.cert.org/vuls/id/836068

Solution:
Contact the Certificate Authority to have the certificate reissued.

Plugin output:
Here is the service's SSL certificate : Subject Name: Organization Unit: Router$tx-extranet:36073 Common Name: Agent Issuer Name: Common Name: EM2_CA Serial Number: 00 9C F4 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Jan 03 20:10:30 2011 GMT Not Valid After: Dec 30 20:10:30 2030 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 97 41 A7 9B AD BE A6 3A 3C 48 04 87 BA 7D 0D F3 49 A5 28 32 A9 C0 21 A2 0E ED 7F 2A 38 C8 26 D7 15 8B E1 8A 89 B2 F7 CA 48 BC 37 6F BC 70 4C F3 7F 42 52 40 4C 2E 65 BA 00 A0 DF 81 F3 9F 5C EF Exponent: 01 00 01 Signature: 00 A9 36 6E 66 E8 0F 9C F3 4A 88 49 C9 E3 76 2A 66 32 65 CD CF F9 83 CC 4D 17 C4 99 E0 A0 FD 33 E7 83 B6 69 B7 BA 7D 72 26 F8 6A 09 3C F1 6A 0D B2 34 AD A5 19 33 47 84 C4 A7 42 09 E7 36 77 B2 CF D0 A7 DB 29 A6 C9 72 5F F6 C0 82 80 C4 4E 9E 39 2A 98 DA 25 C9 37 9A D2 D6 01 C5 46 05 09 08 8C 0C B8 FC 61 E3 6B D0 72 21 01 78 0D 19 B8 30 91 12 66 44 27 E7 4C 67 1C D6 37 44 90 58 36 31 2E 69 C9 A9 27 77 01 20 C9 B5 FD 16 90 F9 76 E4 FA 70 BE 1D E6 89 F0 BA F6 E3 C5 37 D1 92 F1 4B CB 7C 38 36 F0 92 5A 14 EC 74 0E D3 8B E0 9C FD 28 57 D2 3D 4E E0 FA 97 7F A7 EF 24 21 2D 5D 8B FF B6 2A 8B 4C 73 D6 15 AB 3C 72 DC 8E 75 64 83 AB E4 C2 B8 FD B2 93 A1 3E FA 86 67 F4 3E A6 94 F2 30 5C 23 BF 48 26 95 51 E7 BD DB 01 24 E5 B1 57 11 79 63 EC 5D AB EE B6 06 1A E1 FC 32 1E A1 8B

Plugin ID:
35291

CVE:
CVE-2004-2761

BID:
11849, 33065

Other references:
OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310

0 MatthewEllis over 12 years ago

I am having this same issue ...
were you able to find a solution?
:41573
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 12 years ago

Hello MatthewEllis,
if issue means that the use of MD5 is flagged I fear there's no solution. About the security aspects please see Explanation of Sophos Endpoint Security and Control exceptions required for PCI compliance.
Christian
:41593
Cancel
Vote Up 0 Vote Down

Cancel