Novell Datasync Server SSL "Beast" vulnerability

0 Likes
There is an SSL vulnerability for certain configurations of web browsers and other applications that use similar encryption methods that expose them to a "man-in-the-middle" security failure.

A complete description of the vulnerability can be found at the following link.

Vulnerability Summary for CVE-2011-3389:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

This vulnerability is present in the default configuration for Datasync Mobility, and can be seen by downloading and running the following vulnerability testing tool.

Beast vulnerability test instructions and download link:
http://bl0g.yehg.net/2012/05/beastpl-ssltls-beast-vulnerability.html

This vulnerability can be closed by configuring the SSL communications that Datasync uses to only allow unaffected handshake protocols.

Below is a link to, and excerpt from, the section of documentation that shows the required options.

I have found that the following settings will allow Datasync Mobility to pass the vulnerability test.
<sslMethod>5</sslMethod>
<sslCiphers>RC4-SHA</sslCiphers>

So far I haven't seen any issues with device connections since I made the changes.

SSL Configuration option from
Datasync Mobility documentation:

"5.1.4 Selecting a Specific Version of SSL

By default, the Mobility Connector accepts connections from mobile devices that use SSLv3 and TLSv1, but rejects connections from mobile devices that use SSLv2. If a user’s mobile device tries to connect using SSLv2, the user receives an error and cannot connect. You can enable and disable different versions of SSL protocols and also specify the cipher to use with the desired protocol.

In Synchronizer Web Admin, click the Mobility Connector to display the Mobility Connector Configuration page, then click Edit XML Source to display the Connector XML Source window.

Add the following tags between the <custom> and </custom> tags:
<sslMethod>value</sslMethod>
<sslCiphers>list</sslCiphers>

In the <sslMethod> tag, replace value with any of the following values:
    SSL Version			Value

SSLv2 1 (not recommended)

SSLv3 2

TLSv1 4

All of the above 3 (not recommended)

SSLv3 and TLSv1 5 (default)

In a terminal window, use the following command to determine the ciphers that are available on your system:

openssl ciphers -ssl3

In the <sslCiphers> tag in the Connector XML Source window, replace list with the desired values as provided by the openssl command.

Click Save XML to save your changes, then click Home to return to the main Synchronizer Web Admin page.

Restart the Mobility Connector to put the desired SSL protocol and ciphers into effect."

Labels:

How To-Best Practice
Comment List
Related
Recommended