LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-26-2019, 02:06 PM   #1
Latitude
Member
 
Registered: Mar 2009
Posts: 65

Rep: Reputation: 16
How to resolve Vulnerability ID 42873 SSL Medium Strength Cipher Suites Supported (SWEET32)?


I'm running a RHEL 7.6 server with McAfee VSEL installed on this host and a monthly security scanned this month suddenly showed a new vulnerability from 2016: Vulnerability ID 42873 "SSL Medium Strength Cipher Suites Supported (SWEET32)"

The httpd package is not installed on this server but the "nailswebd" daemon appears to be httpd modified and repackaged for nails to run the web page for managing McAfee VSEL. /opt/NAI/LinuxShield/apache/conf/httpd.conf is the configuration file and a peek into the file shows that it appears to be just like an httpd.conf file.

If we are treating this as httpd, what is the best way to disable MEDIUM strength ciphers from within /opt/NAI/LinuxShield/apache/conf/httpd.conf file? Would this be done the same was as if we were doing it on ssl.conf? I found instructions through google searching to resolve this finding by editing ssl.conf file, but the mod_ssl package containing the ssl.conf file is not installed. Since there is no ssl.conf file, so can this be done within /opt/NAI/LinuxShield/apache/conf/httpd.conf?
 
Old 07-26-2019, 03:02 PM   #2
Latitude
Member
 
Registered: Mar 2009
Posts: 65

Original Poster
Rep: Reputation: 16
UPDATE: I located the SSLCipherSuite directive in the file (almost 1300 lines) /opt/NAI/LinuxShield/apache/conf/httpd.conf. I'm going to put together an update to this directive to allow only HIGH strength cipher suites. Anyone have any input for implementing this? I'll share my solution once it's tested and implemented. Below is the current text I found in the nailswebd httpd.conf file:

Quote:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite SSLv3:+HIGH:+MEDIUM
SSLCipherSuite TLSv1:+TLSv1.1:+TLSv1.2:!aNULL:!LOW:!EXP:!NULL:!RC4:+HIGH:+MEDIUM
 
Old 07-28-2019, 06:30 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Only suggestion I have is to disable TLS1.0 (BEAST) and TLS1.1 (no sec risk) before you test. Also rescan with Nessusd to confirm. Then only allow 1.1 if you receive too much problems with legacy software on the customer side.
 
Old 07-31-2019, 08:46 PM   #4
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Rep: Reputation: Disabled
IIRC Sweet32 deals with insecure ciphers such as 3DES and Blowfish. You may want to make sure you're not using those ciphers in anything.

And if you want some very good (albeit long and requiring an understanding of some general cryptographic concepts) reading on it I'd recommend http://sweet32.info

Last edited by RickDeckard; 07-31-2019 at 08:50 PM.
 
Old 08-08-2019, 03:11 PM   #5
Latitude
Member
 
Registered: Mar 2009
Posts: 65

Original Poster
Rep: Reputation: 16
I answered my own question. Yes, this vulnerability can be resolved from with the file /opt/NAI/LinuxShield/apache/conf/httpd.conf.

Background: A Nessus vulnerability scan on a RHEL 7 server revealed that a web server service supported three old 3DES cipher suites which are less secure. I was surprised to see this kind of vulnerability because I was not aware this server was running a web server, but I became aware McAfee Viruscan for Enterprise Linux (VSEL) runs a web page for the administration of VSEL.

The daemon running a web server for the McAfee VSEL administration site is called nailswebd. nailswebd appears to be a customized version of apache web server. The config file is located at /opt/NAI/LinuxShield/apache/conf/httpd.conf

To resolve the vulnerability, I first ran the command below which revealed the high strength ciphers supported by the version of openssl installed.

Code:
$ openssl ciphers -v 'TLSv1.2+HIGH:!aNULL:!eNULL:'

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
I took the list outputted by the command above, deleted the trailing information after each cipher suite, and created a colon separated string containing all ciphers. I placed that string in the SSLCipherSuite directive in the config file /opt/NAI/LinuxShield/apache/conf/httpd.conf as shown below:

Code:
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256
I also added the setting below to utilize the web server’s cipher preference instead of the client’s preference:

Code:
SSLHonorCipherOrder on
After adding/modifying the above two settings I ran the command below to check the syntax for the nailswebd config file:

Code:
# /opt/NAI/LinuxShield/apache/bin/apachectl configtest
Syntax OK
Then I restarted the nailswebd service utilizing the command below:

Code:
# /etc/init.d/nails restart
On the next remediation scan the vulnerability was not detected because I removed the offending (less secure) ciphersuites (3DES).The following were helpful in troubleshooting:

OpenSSL Ciphers man page:
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

Red Hat Customer Portal knowledgebase, requires Red Hat Subscription Login:
https://access.redhat.com/solutions/24717

Check syntax of httpd.conf file, equivalent to apachectl -t:
Code:
# /opt/NAI/LinuxShield/apache/bin/apachectl configtest
Graceful restart of apache nailswebd:
Code:
# /opt/NAI/LinuxShield/apache/bin/apachectl graceful
Restart nails including nailswebd:
Code:
# /etc/init.d/nails restart

Last edited by Latitude; 08-09-2019 at 11:22 AM.
 
  


Reply

Tags
httpd, httpdconf, mcafee, rhel7, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Franklin Weng: The strength behind open source is the strength of contributing LXer Syndicated Linux News 0 11-10-2014 02:31 PM
How do you change cipher list order with openssl cipher command? markseger Linux - Security 1 03-20-2013 04:45 AM
Is it possible to tell a file's cipher strength without actually having the key? Cultist Linux - Security 2 03-17-2012 10:46 PM
[SOLVED] Possible to remotely list supported cipher suites? szboardstretcher Linux - Security 4 11-30-2011 02:37 PM
[SOLVED] How to find out what cipher strength is used by hotmail POP3 Ulysses_ Linux - Security 8 09-30-2009 05:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration