Open Manage: Nessus Reports omsa Port as a Medium or Low Risk (DRAFT)

OVERVIEW

This article will provide steps how to customize ciphers for Dell Open Manage.

Although this procedure to implement cipher is applicable on all DXi versions, the symptom bellow was found on DXi 2.2. This procedure is applicable on 6800, please consult your backline support if you find the same issue in other platforms.

This procedure will require customer to be knowledgeable on security as it will require to determine the cipher he will want to apply in place

SYMPTOM (HOW TO IDENTIFY THE PROBLEM

When customer run Nessus, the application generate the following report for the Dell Open Manage port 1311:

42873 (2) - SSL Medium Strength Cipher Suites Supported

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin Information:

Publication date: 2009/11/23, Modification date: 2012/04/02

Hosts

xxx.xxx.28.40 (tcp/1311)

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3

EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1

EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}

Kx={key exchange}

Au={authentication}

Enc={symmetric encryption method}

Mac={message authentication code}

{export flag}

xxx.xxx.28.43 (tcp/1311)

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3

EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1

EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}

Kx={key exchange}

Au={authentication}

Enc={symmetric encryption method}

Mac={message authentication code}

{export flag}

*********************************************

65821 (2) - SSL RC4 Cipher Suites Supported

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

http://www.nessus.org/u?217a3666

http://cr.yp.to/talks/2013.03.12/slides.pdf

http://www.isg.rhul.ac.uk/tls/

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers.

RESOLUTION

The resolution of this issue will require customer to point the cipher he wants to force Open Manage to support. There is a limitation of ciphers that can be specified and the list of ciphers can be gathered via command:

# openssl ciphers -v

DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1

AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5

KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1

EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1

DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5

KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5

KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1

RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=MD5

KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=SHA1

EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1

EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1

DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5

EXP-KRB5-RC2-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export

EXP-KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export

EXP-KRB5-RC2-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export

EXP-KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export

EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export

EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export

EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export

EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export

EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export

EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

[root@DXi67-01nh ~]#

Once customer indicate the cipher he wants Dell OpenManage to load, you need to edit the list of cipher under the file:

/opt/dell/srvadmin/lib64/openmanage/apache-tomcat/conf/server.xml

Inside of the file server.xml you'll find the segment where all the ciphers are listed (note this example was collected from a DXi lab machine that had been modified for tests, you won't see the same cipher entries as we see in the example bellow on a customer machine)

Here an example taken form a 6802 with firmware 2.3 installed:

Before you execute any change in the file above, please make sure you save a backup copy.

Add the cipher list requested by customer and restart OpenMange with the command:

# srvadmin-services.sh restart

At the line " side of the file server.xml you'll find the segment where all the ciphers are listed (note this example was collected from a DXi lab machine that had been modified for tests, you won't see the same cipher entries as we see in the example bellow on a customer machine)

The openssl command can help you to verify the cipher loaded for the OpenManage port. Here an example of usage and the results before and after the change:

BEFORE THE CHANGE

In the server we had a list of ciphers defined under server.xml and openssl was using the CBC cipher

(Again, this is a lab machine, so the lines shown bellow may not reflect what you will find in the customer's DXi)

# grep cipher server.xml

# openssl s_client -showcerts -connect localhost:1311

CONNECTED(00000003)

depth=0 /C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=SES6802DXi79

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=SES6802DXi79

verify return:1

---

Certificate chain

0 s:/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=SES6802DXi79

i:/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=SES6802DXi79

-----BEGIN CERTIFICATE-----

MIIChTCCAe6gAwIBAgIEUfLXaTANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMC

VVMxCzAJBgNVBAgTAlRYMRMwEQYDVQQHEwpSb3VuZCBSb2NrMSswKQYDVQQLEyJT

QSBFbnRlcnByaXNlIFNvZnR3YXJlIERldmVsb3BtZW50MREwDwYDVQQKEwhEZWxs

IEluYzEVMBMGA1UEAxMMU0VTNjgwMkRYaTc5MB4XDTEzMDcyNjIwMDkxM1oXDTE1

MDcyNjIwMDkxM1owgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUWDETMBEGA1UE

BxMKUm91bmQgUm9jazErMCkGA1UECxMiU0EgRW50ZXJwcmlzZSBTb2Z0d2FyZSBE

ZXZlbG9wbWVudDERMA8GA1UEChMIRGVsbCBJbmMxFTATBgNVBAMTDFNFUzY4MDJE

WGk3OTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApMxEv43GBTbKMLVEcMX7

2IfW6tk8kmygtlE/xZRprA8CWQOo79Bu9tJmTqDkrs3LwpB2XZWN8g983qQDFgt+

7MC8u4qc8qJCE5PyvwGvatsJ+mCTr8VavDpoNBdVRPq/xR9x3IWQ+XZBgzMqYe6z

7oifE0P2RY4rX8lu2UsJzesCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAirCib+IKe

xQ4MvQCXN4j1WiXnROgdI2JmIgVZkc9B/IRBrRZbm9lR7TIa0BGFd6e3kYJoRzlI

mHQC2V/xuhxvW8Eyx6SFh8HPOpZzz2Xq6fS3nRAA1wELkV3q+02S6FO4JXemwz0z

Rv6yYH/ZblXSLm4gRYJPzYMC+T6FXPFFPw==

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=SES6802DXi79

issuer=/C=US/ST=TX/L=Round Rock/OU=SA Enterprise Software Development/O=Dell Inc/CN=SES6802DXi79

---

No client certificate CA names sent

---

SSL handshake has read 1228 bytes and written 279 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : EDH-RSA-DES-CBC3-SHA

Session-ID: 52D849A83D41E3963D02049D1BD00A0EC5DA09F10A352F69076C68E987EBA55A

Session-ID-ctx:

Master-Key: 0CF9191D86A56FC7643D4CFD68A35098936589E872E7F0C6424253DAD4AA730BDC00C6871714240207C5BCA1A4DBA06A

Key-Arg : None

Krb5 Principal: None

Start Time: 1389906344

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

AFTER THE CHANGE

We removed all CBC ciphers and left only two ciphers with 128-bit encryption in the list: