03-08-2011 06:47 AM - edited 03-11-2019 01:02 PM
I am working at a client site whom falls under PCI Security mandates. The client is scanned by a Third party Vendor each month, and the test results are published.
The client was hit on 2 critical vulnerabilities this time around. Both of these Critical rankings were generated against the ASA that faces the public Internet at the client site.
The first Critical vulnerability found was as follows:
The remote service uses an SSL certificate that has been signed using
a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These
signature algorithms are known to be vulnerable to collision attacks.
In theory, a determined attacker may be able to leverage this weakness
to generate another certificate with the same digital signature, which
could allow him to masquerade as the affected service.
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.kb.cert.org/vuls/id/836068
Contact the Certificate Authority to have the certificate reissued.
Medium / CVSS Base Score : 4.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
Here is the service's SSL certificate :
Subject Name:
Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn
Issuer Name:
Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn
Serial Number: F8 E5 C3 49
Version: 3
Signature Algorithm: MD5 With RSA Encryption
Not Valid Before: Mar 20 18:52:40 2009 GMT
Not Valid After: Mar 18 18:52:40 2019 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 82 9D AB 31 AA 1B D6 A6 26 5F 74 31 AC F6 95 44 AB F6 A0
32 46 DB 02 CA B5 51 AC FB 5B 19 67 6E B6 01 D8 33 3B 8E 6B
A5 5A 42 CE BA 5C 7D DC A1 BE 96 86 A1 AB 26 10 69 49 B1 9C
6B C7 40 74 8C 8C EA 0C D5 82 AC BA 19 9D 46 6A 38 97 49 04
AC B3 90 5C C3 27 83 37 31 71 AA EC 74 C4 C3 8A 73 15 32 AB
4F 9D FD 44 F2 E5 22 E6 B1 2F FA FB B1 A1 85 94 87 36 06 41
3F 4C 2F 7D C7 9E A6 62 6F
Exponent: 01 00 01
Signature: 00 42 BA D4 57 02 C0 B1 B4 22 DF 10 64 65 F8 6B 37 6B FF C1
10 F0 58 A1 02 EA 2C CB B3 A0 E1 FF 73 2A 87 B1 94 50 74 7A
2E CB CD B5 61 18 92 C3 CB 99 47 2A 97 3D 0A DB 6E 98 82 5F
9B E6 BB 03 FE 26 11 05 D8 DB 98 3F 4D B2 B6 54 E9 D7 F3 21
BC 48 C6 BC 89 3E A2 C5 6E AB 81 F1 A1 11 22 A8 41 4F C5 12
B4 C2 ED AC 9C 51 2A 70 17 E2 4A FB A0 D6 E8 9E C5 13 03 1E
2B 3B DC 97 96 A3 E7 40 10
Extension: Basic Constraints (2.5.29.19)
Critical: 1
Data: 30 03 01 01 FF
Extension: Key Usage (2.5.29.15)
Critical: 1
Key Usage: Digital Signature, Key Cert Signature, CRL Signature
Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: CB 5C 84 EE 58 15 C1 5F 4F 1C EF C6 31 54 61 A6 CF ED 38 B4
CVE-2004-2761
11849, 33065
OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310
My question is as follows. Where do we install, import, or otherwise enable Certificates on the ASA for HTTPS?
The 2nd Critical vulnerability was reported as follows:
The SSL certificate for this service is signed by an unknown
certificate authority.
The X.509 certificate of the remote host is not signed by a known
public certificate authority. If the remote host is a public host in
production, this nullifies the use of SSL as anyone could establish a
man in the middle attack against the remote host.
Purchase or generate a proper certificate for this service.
Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
*** ERROR: Unknown root CA in the chain:
Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn
Certificate chain:
|-Common Name: bhiasaop
|-Unstructured Name: bhiasaop.boarsheadinn
I am not sure why all of a sudden we are getting hit on these items which we have formerly been passing. What recommendations are there to resolve this?
Thank You
Kevin
Solved! Go to Solution.
03-08-2011 07:51 PM
Was the scan from the outside or inside?
If you aren't using SSL VPN you can turn it off on the outside or you can disable the weak algorithyms.
You can specify the strong ones by typing this in under configuration mode.
'ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5'
Or disabling WebVPN on outside with one of these two, not sure which one it is
webvpn
no enable outside
or
no webvpn
03-08-2011 07:51 PM
Was the scan from the outside or inside?
If you aren't using SSL VPN you can turn it off on the outside or you can disable the weak algorithyms.
You can specify the strong ones by typing this in under configuration mode.
'ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5'
Or disabling WebVPN on outside with one of these two, not sure which one it is
webvpn
no enable outside
or
no webvpn
03-10-2011 07:11 AM
Thanks for the response. You nailed it. I had turned it on last week at some point when I was in a testing mode looking
at the WebVPN feature. I had indeed enabled it on the outside interface. I disabled it, contacted the Third Party scanning vendor to issue a retest, and all tested OK.
Thanks for your response.
Kevin Melton
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: