Highlighted
Super Contributor.
Super Contributor.
290 views

SWEET32 vulnerability

AM Version: 4.5 SP2HF1

Scenario:

I use Nessus software to scan AM appliance to find out vulnerability...one "SWEET32" vulnerability I do not know how to fix it....

Who's AM been Scanned recently and could provide how to fix SWEET32 ??

it been detect on user login portal (https://AM-FQDN/nidp)

 

Thanks.!!

 

Wencheng

AM4.5SP2HF1_SWEET32.png 

Labels (1)
Tags (1)
0 Likes
7 Replies
Highlighted
Highlighted
Super Contributor.
Super Contributor.

HI

   Thanks your informaiton.. this SWEET32 been detected on TCP 443 (it should be https://AM-FQDN/nidp ) 

it should be the location that you provide ( /opt/novell/nam/idp/conf  ), and I find ciphers setting only on server.xml file...but the "ECDHE-RSA-DES-CBC3-SHA" and "DES-CBC3-SHA" did not search in this file.

I provide the cipher setting on server.xml below

=======================================

/opt/novell/nam/idp/conf/server.xml:123:   

<Connector NIDP_Name="connector" address="10.140.200.65" port="2443" maxThreads="600" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" sslProtocol="TLSv1.2" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" clientAuth="false" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" keystoreFile="/opt/novell/devman/jcc/certs/nam/nam.keystore" keystorePass="changit" SSLEnabled="true" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^&amp;#x5c;&amp;#x60;&amp;quot;&amp;lt;&amp;gt;'" />

 

 

========================================

 

 

 

In this File, all Ciphers above 128 bits...so it seem not match this information detect by Nessus.

 

Wencheng

AM4.5SP2HF1_SWEET32.png

Tags (1)
0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

While you are at it, please have a look on NAM security guide which provides various options to reconfigure security -

https://www.netiq.com/documentation/access-manager-45/security-guide/data/bookinfo.html

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi

   I had read the document...and like link

https://www.netiq.com/documentation/access-manager-45/security-guide/data/b1lh8ctk_ag.html

I Post my setting in "Advanced Options" (I reboot AM Appliance , then start Scan process)
====================
#NAGGlobalOptions FlushUserCache=on
IgnoreDNSServerHealth off www.novell.com
#NAGGlobalOptions ForceUTF=on
#NAGGlobalOptions DebugHeaders=on
#ProxyErrorOverride On
SSLProtocol TLSv1.1 +TLSv1.2
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:ALL:!EDH
SSLProxyCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:MEDIUM:!LOW:!EXP:!SSLv2:!aNULL:!EDH:!ECDH:!ECDSA:!AESGCM:!eNULL:!NULL
======================

add last line "SSLProxyCipherSuite", but it still detect SWEET32, I also use another Scan software "OpenVAS", it detect the same vulnerability

Wencheng

AM45Sp2HF1_OpenVAS_SWEET32.png

 

 

Tags (1)
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi All

    From SR's Response, The Cipher need been modified...and need modify 2 location.

Cipher need modify to below parameter.

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

need modify 2 locations.

(1) Advanced setting from iManager...

(2) server.xml of NIDP location.of OS.

After modified, reboot server...this vulnerability will been resolved.

 

Wencheng

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Did this change cause any issues with client compatibility? Any concern with older OS/Browser?

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi

   after modify...I test win10/Win7 OS ....Win10 seem work fine...

About Win7 , if you use Clean Win7SP1 for try to connect...you will fail.

Win7 must update its cipher support list (Microsoft had release a patch, but you must install other patches first)

there is my list ...there include x32/x64...after install them ...win7 could connect AM well.

AM_Win7_Cipher_update.png

 

Wencheng

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.