02-21-2008 01:31 AM - edited 03-11-2019 05:05 AM
Hi, we have just upgraded our Cisco Pix to a Cisco ASA 5520. I ran a security scan against the ASA's Outside IP and it came back with 2 vulnerabilities which I've pasted below. Should these be picked externally if not what should I check?
SSL Certificate - Self-Signed Certificate
THREAT:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.
By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server.
IMPACT:
By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack.
SOLUTION:
Please install a server certificate signed by a trusted third-party Certificate Authority.
SSL Certificate - Signature Verification Failed Vulnerability
THREAT:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority.
If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication.
IMPACT:
By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur.
Exception:
If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature.
SOLUTION:
Please install a server certificate signed by a trusted third-party Certificate Authority.
02-27-2008 06:37 AM
You can turn off sslv2 and enable sslv3 may solve the problem.
01-03-2011 12:36 PM
I'm having the same issue. Did this work or does anyone have any other suggestions?
01-06-2011 10:16 AM
We had an ASV do a vulnerability scan. They use Qualys.
01-06-2011 10:38 AM
Thanks for that.
01-04-2011 12:33 PM
If you don't mind my asking, which tool did you scan with? I'd like to try it out.
01-04-2011 12:40 PM
There's no way to turn off the self signed certificates.
However, if you disable ASDM access (by using 'no http server enable') and you're not using webvpn (which would use certificates), then SSL would no longer be used and you would no longer be running into this vulnerability.
However, if you want ASDM access, you have to enable the http server and SSL, and if you are using a self signed certificate at that point, you would still have this issue.
The other option, of course, is to obtain a 3rd party certificate.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
01-04-2011 12:40 PM
And disabling http access from whatever interface is being scanned would also work as well.
--Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide