cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5376
Views
0
Helpful
2
Replies

HTTPS scan reveals

Kevin Melton
Explorer
Explorer

I am working at a client site whom falls under PCI Security mandates.  The client is scanned by a Third party Vendor each month, and the test results are published.

The client was hit on 2 critical vulnerabilities this time around.  Both of these Critical rankings were generated against the ASA that faces the public Internet at the client site.

The first Critical vulnerability found was as follows:

Description

The remote service uses an SSL certificate that has been signed using
a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These
signature algorithms are known to be vulnerable to collision attacks.
In theory, a determined attacker may be able to leverage this weakness
to generate another certificate with the same digital signature, which
could allow him to masquerade as the affected service.

See also

http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.kb.cert.org/vuls/id/836068

Solution

Contact the Certificate Authority to have the certificate reissued.

Risk factor

Medium / CVSS Base Score : 4.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

Plugin output

Here is the service's SSL certificate :

Subject Name:

Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn

Issuer Name:

Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn

Serial Number: F8 E5 C3 49

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Mar 20 18:52:40 2009 GMT
Not Valid After: Mar 18 18:52:40 2019 GMT

Public Key Info:

Algorithm: RSA Encryption
Public Key: 00 82 9D AB 31 AA 1B D6 A6 26 5F 74 31 AC F6 95 44 AB F6 A0
32 46 DB 02 CA B5 51 AC FB 5B 19 67 6E B6 01 D8 33 3B 8E 6B
A5 5A 42 CE BA 5C 7D DC A1 BE 96 86 A1 AB 26 10 69 49 B1 9C
6B C7 40 74 8C 8C EA 0C D5 82 AC BA 19 9D 46 6A 38 97 49 04
AC B3 90 5C C3 27 83 37 31 71 AA EC 74 C4 C3 8A 73 15 32 AB
4F 9D FD 44 F2 E5 22 E6 B1 2F FA FB B1 A1 85 94 87 36 06 41
3F 4C 2F 7D C7 9E A6 62 6F
Exponent: 01 00 01

Signature: 00 42 BA D4 57 02 C0 B1 B4 22 DF 10 64 65 F8 6B 37 6B FF C1
10 F0 58 A1 02 EA 2C CB B3 A0 E1 FF 73 2A 87 B1 94 50 74 7A
2E CB CD B5 61 18 92 C3 CB 99 47 2A 97 3D 0A DB 6E 98 82 5F
9B E6 BB 03 FE 26 11 05 D8 DB 98 3F 4D B2 B6 54 E9 D7 F3 21
BC 48 C6 BC 89 3E A2 C5 6E AB 81 F1 A1 11 22 A8 41 4F C5 12
B4 C2 ED AC 9C 51 2A 70 17 E2 4A FB A0 D6 E8 9E C5 13 03 1E
2B 3B DC 97 96 A3 E7 40 10

Extension: Basic Constraints (2.5.29.19)
Critical: 1
Data: 30 03 01 01 FF

Extension: Key Usage (2.5.29.15)
Critical: 1
Key Usage: Digital Signature, Key Cert Signature, CRL Signature

Extension: Authority Key Identifier (2.5.29.35)
Critical: 0

Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: CB 5C 84 EE 58 15 C1 5F 4F 1C EF C6 31 54 61 A6 CF ED 38 B4

CVE

CVE-2004-2761

BID

11849, 33065

Other reference

OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310

My question is as follows.   Where do we install, import, or otherwise enable Certificates on the ASA for HTTPS?

The 2nd Critical vulnerability was reported as follows:

Synopsis

The SSL certificate for this service is signed by an unknown
certificate authority.

Description

The X.509 certificate of the remote host is not signed by a known
public certificate authority. If the remote host is a public host in
production, this nullifies the use of SSL as anyone could establish a
man in the middle attack against the remote host.

Solution

Purchase or generate a proper certificate for this service.

Risk factor

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin output

*** ERROR: Unknown root CA in the chain:
Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn

Certificate chain:
|-Common Name: bhiasaop
|-Unstructured Name: bhiasaop.boarsheadinn

I am not sure why all of a sudden we are getting hit on these items which we have formerly been passing.  What recommendations are there to resolve this?

Thank You

Kevin

1 Accepted Solution

Accepted Solutions

trippi
Beginner
Beginner

Was the scan from the outside or inside?

If you aren't using SSL VPN you can turn it off on the outside or you can disable the weak algorithyms.

You can specify the strong ones by typing this in under configuration mode.

'ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5'

Or disabling WebVPN on outside with one of these two, not sure which one it is

webvpn

no enable outside

or

no webvpn

View solution in original post

2 Replies 2

trippi
Beginner
Beginner

Was the scan from the outside or inside?

If you aren't using SSL VPN you can turn it off on the outside or you can disable the weak algorithyms.

You can specify the strong ones by typing this in under configuration mode.

'ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5'

Or disabling WebVPN on outside with one of these two, not sure which one it is

webvpn

no enable outside

or

no webvpn

Thanks for the response.  You nailed it.  I had turned it on last week at some point when I was in a testing mode looking

at the WebVPN feature.  I had indeed enabled it on the outside interface.  I disabled it, contacted the Third Party scanning vendor to issue a retest, and all tested OK.

Thanks for your response.

Kevin Melton

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: