Certificate vulnerability

seclakit · ‎10-04-2021

I have found several of my network devices are showing up within our vulnerability management scanner with X.509 Certificate Subject CN does not match the entity name as a vulnerability. This is more than likely a DNS issue as I do not have any network devices with DNS records. I have been told conflicting opinions and would like to know how do I find the best practices on this finding. Which one would be the most accurate process that I should follow:

It is best practice not to place DNS records on my network devices as it will make them unrecognizable on the public-facing side. Therefore, security by obscurity.
Attempt to place DNS records as this secures all devices and allows for security teams to identify and ensure that these devices are behaving as needed through the SIEM.

Marvin Rhoads · ‎10-04-2021

If the devices aren't using the certificates then just disable them from responding to SSL/TLS so that the scanner doesn't detect them.

If they are using the certificates, then document for purposes of the scan why they use a self-signed (of manufacturer-issued as the case may be with wireless APs in particular) certificate. Often this is by design and not a problem with respect to security.

Of course if they are using certificates for actual device administration then they should be proper ones with the CN from the certificate matching the device's FQDN in DNS.