Vulnerability assessment on the Ironport Device ESA

Unanswered Question
Jul 15th, 2013

HI

There is penertation test done on ESA and below is detail

  • •1)       SSH Insecure HMAC Algorithms Enabled

SOLUTION

Disable any 96-bit HMAC  Algorithms.-------------- how we can disable this in ironport email

Disable any  MD5-based HMAC Algorithms 

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from  aspl_env import getContextVariable try: test_data =  getContextVariable('ssh_server_to_client_mac') +  getContextVariable('ssh_client_to_server_mac') except KeyError: rule.STOP(False)  for item in test_data: if item.endswith('-96'): rule.STOP(True) elif 'md5' in  item: rule.STOP(True) rule.STOP(False) }

Info:

GOT:  'ssh_server_to_client_mac' = ['hmac-md5', 'hmac-sha1', [email protected]',  'hmac-ripemd160', [email protected]', 'hmac-sha1-96',  'hmac-md5-96']

GOT:  'ssh_client_to_server_mac' = ['hmac-md5', 'hmac-sha1', [email protected]',  'hmac-ripemd160', [email protected]', 'hmac-sha1-96',  'hmac-md5-96']

  • •2)       SSH RC4 Cipher Enabled

SOLUTION

Disable the arcfour (RC4) cipher.

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from  aspl_env import getContextVariable try: test_data =  getContextVariable('ssh_client_to_server_ciphers') +  getContextVariable('ssh_server_to_client_ciphers') except KeyError:  rule.STOP(False) if 'arcfour' in test_data: rule.STOP(True) rule.STOP(False)  }

Info:

GOT:  'ssh_client_to_server_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  [email protected]']

GOT:  'ssh_server_to_client_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  [email protected]']

  • •3)       CBC Mode Ciphers are enabled on the SSH Server

SOLUTION

Disable CBC Mode Ciphers and use CTR Mode  Ciphers

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from  aspl_env import getContextVariable try: test_data =  getContextVariable('ssh_client_to_server_ciphers') +  getContextVariable('ssh_server_to_client_ciphers') except KeyError:  rule.STOP(False) for item in test_data: if item.endswith('-cbc'):  rule.STOP(True) rule.STOP(False) }

Info:

GOT:  'ssh_client_to_server_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  [email protected]']

GOT:  'ssh_server_to_client_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  [email protected]']

Please advise

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Mathew Huynh Tue, 07/16/2013 - 20:21

Hello Asim,

SSL protocols and ciphers advertised for incoming Graphical User Interface (GUI) connections can be configured with the sslconfig command the same for inbound and outbound connections

ironport.example.com> sslconfig

sslconfig settings:

  GUI HTTPS method:  sslv3

  GUI HTTPS ciphers: RC4-SHA

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit inbound SMTP ssl settings.

- OUTBOUND - Edit outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> gui

Enter the GUI HTTPS ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[2]> 2

Enter the GUI HTTPS ssl cipher you want to use.

[RC4-SHA]>

You can then change the Ciphers to the one you would prefer(require)

For HIGH cipher list ->

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> verify

Enter the ssl cipher you want to verify.

[]> RC4-SHA:RC4-MD5:HIGH

Gulam Siraj Arab Mon, 08/12/2013 - 23:40

Hello All,

Are there any fixes for above mentioned vulnerabilities on cisco IOS for routers and Switches ?

I dont see any configurable options on cisco routers and switches so far but do let me know if there is anything that could be done to fix them.

technics614 Wed, 10/26/2016 - 12:20

I realize this post is three years old but is one of few regarding SSH ciphers.  Why is it that it is mentioned to change SSL GUI settings to fix SSH ciphers?  Can SSH Ciphers be disabled through SSHD config via ESA CLI?

Mathew Huynh Wed, 10/26/2016 - 15:35

Hello,


You may choose which ciphers the ESA will use for SSH (CLI) access; whichever is defined will be the ciphers used from my knowledge- all others are disabled(inactive).

Regards,

Mathew

Actions

This Discussion