PowerProtect-enheder i DP-serien og integration af databeskyttelsesanordning: Scanning af sikkerhedssårbarhed registrerede "TLS SSL Svage MACs Cipher Suites" ved søgning

Når følgende sikkerhedsrisiko registreres i Integration Data Protection Appliance-versionerne 2.7.2, 2.7.3 og 2.7.4 på søgekomponenten, portene 442, 443 og 445 (se tabel).
 

Sikkerhedsrisikotitel	Komponenter	Serviceport	Serviceprotokol	Sårbarhedens alvorsgrad	Beskrivelse af sårbarhed	Sikkerhedsrisikosikring
TLS SSL Svage meddelelsesgodkendelseskode Cipher-pakker	DP-søgning	442	TCP	4	Transport Layer Security version 1.2 og tidligere omfatter understøttelse af cipher-pakker, der bruger kryptografisk svage Hash-baserede meddelelsesgodkendelseskoder (HMA'er), f.eks. MD5 eller SHA1.	Forhandlet med følgende usikre cipher-pakker:     * TLS 1.2-koder:        * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS SSL Svage meddelelsesgodkendelseskode Cipher-pakker	DP-søgning	443	TCP	4	Transport Layer Security version 1.2 og tidligere omfatter understøttelse af cipher-pakker, der bruger kryptografisk svage Hash-baserede meddelelsesgodkendelseskoder (HMA'er), f.eks. MD5 eller SHA1.	Forhandlet med følgende usikre cipher-pakker:     * TLS 1.2-koder:        * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS SSL Svage meddelelsesgodkendelseskode Cipher-pakker	DP-søgning	445	TCP	4	Transport Layer Security version 1.2 og tidligere omfatter understøttelse af cipher-pakker, der bruger kryptografisk svage Hash-baserede meddelelsesgodkendelseskoder (HMA'er), f.eks. MD5 eller SHA1.	Forhandlet med følgende usikre cipher-pakker:     * TLS 1.2-koder:        * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Følg disse trin for at afhjælpe problemet:

1. Åbn en PuTTY-session til noden for søgeindeksstyring, og log på som "root"-bruger. 
2. Skift arbejdsmappen til "/etc/nginx" med følgende kommando: 

cd /etc/nginx

3. Bekræft, at filerne "nginx.cis.conf" og "nginx.search.conf" findes i mappen:

Search:/etc/nginx #ls -la
total 96
drwxr-xr-x  2 root root 4096 Jun  5 11:42 .
drwxr-xr-x 92 root root 4096 Jul 18 11:51 ..
-rw-r--r--  1 root root 1077 Apr 19 14:48 fastcgi.conf
-rw-r--r--  1 root root 1077 Apr 19 14:48 fastcgi.conf.default
-rw-r--r--  1 root root 1007 Apr 19 14:48 fastcgi_params
-rw-r--r--  1 root root 1007 Apr 19 14:48 fastcgi_params.default
-rw-r--r--  1 root root 2837 Apr 19 14:48 koi-utf
-rw-r--r--  1 root root 2223 Apr 19 14:48 koi-win
-rw-r--r--  1 root root 5349 Apr 19 14:48 mime.types
-rw-r--r--  1 root root 5349 Apr 19 14:48 mime.types.default
-rw-r--r--  1 root root 1021 Jun  5 11:42 nginx.avamar-action.conf
-rw-r--r--  1 root root 3086 Jun  5 11:39 nginx.cis.conf
-rw-r--r--  1 root root  548 Jun  5 11:42 nginx.conf
-rw-r--r--  1 root root 2656 Apr 19 14:48 nginx.conf.default
-rw-r--r--  1 root root  548 Jun  5 11:42 nginx.conf.tmp
-rw-r--r--  1 root root 1027 Jun  5 11:42 nginx.networker-action.conf
-rw-r--r--  1 root root 2513 Jun  5 11:42 nginx.search.conf
-rw-r--r--  1 root root  636 Apr 19 14:48 scgi_params
-rw-r--r--  1 root root  636 Apr 19 14:48 scgi_params.default
-rw-r--r--  1 root root  664 Apr 19 14:48 uwsgi_params
-rw-r--r--  1 root root  664 Apr 19 14:48 uwsgi_params.default
-rw-r--r--  1 root root 3610 Apr 19 14:48 win-utf
Search:/etc/nginx #

4. Opret en kopi af de aktuelle "nginx.cis.conf"- og "nginx.search.conf"-filer:

cp nginx.cis.conf nginx.cis.conf.default
cp nginx.search.conf nginx.search.conf.default

5. Opdater filerne ssl_ciphers på filerne "nginx.cis.conf" og "nginx.search.conf":

From:
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED !DES';

To:
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 !SHA1 !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED !DES';

 

6. Genstart søgeserveren.

systemctl reboot

7. "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA og TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" skal fjernes fra cipher-listen. 

Search:~ #nmap -sV --script ssl-enum-ciphers -p 442,443,445 localhost -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 15:11 GMT-10
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Other addresses for localhost (not scanned): ::1

PORT    STATE SERVICE  VERSION
442/tcp open  ssl/http nginx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
443/tcp open  ssl/http nginx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
445/tcp open  ssl/http nginx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.60 seconds
Search:~ #

Scanningen af sikkerhedssårbarheden registrerer "TLS SSL Weak Message Authentication Code Cipher Suites" for port 30002 ved søgning.
 

Sikkerhedsrisikotitel	Komponenter	Serviceport	Serviceprotokol	Sårbarhedens alvorsgrad	Beskrivelse af sårbarhed	Sikkerhedsrisikosikring
TLS SSL Svage meddelelsesgodkendelseskode Cipher-pakker	DP-søgning	30002	TCP	4	Transport Layer Security version 1.2 og tidligere omfatter understøttelse af cipher-pakker, der bruger kryptografisk svage Hash-baserede meddelelsesgodkendelseskoder (HMA'er), f.eks. MD5 eller SHA1.	Forhandlet med følgende usikre cipher-pakker:     * TLS 1.2-koder:        * TLS_RSA_WITH_AES_256_CBC_SHA

cipher suits for Port 30002 er planlagt til at blive opdateret, efter Avamar er opdateret i den kommende større version af Integration Data Protection Appliance. 

Før du implementerer løsningen, vil resultatet af scanningsresultatet for portene 442, 443, 445 og 30002 svare til dette:

Search:~ #nmap -sV --script ssl-enum-ciphers -p 442,443,445,30002 localhost -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 14:27 GMT-10
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000041s latency).
Other addresses for localhost (not scanned): ::1

PORT      STATE  SERVICE        VERSION
442/tcp   open   ssl/http       nginx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
443/tcp   open   ssl/http       nginx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
445/tcp   open   ssl/http       nginx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
30002/tcp open  ssl/pago-services2?
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.44 seconds
Search:~ #

PowerProtect DP4400, PowerProtect DP5300, PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, Integrated Data Protection Appliance Software , PowerProtect DD6400, PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900 ... 表示を増やす about warranties 表示を減らす about warranties