Vulnerability assessment on the Ironport Device ESA

Unanswered Question
Jul 15th, 2013

HI

There is penertation test done on ESA and below is detail

  • •1)       SSH Insecure HMAC Algorithms Enabled

SOLUTION

Disable any 96-bit HMAC  Algorithms.-------------- how we can disable this in ironport email

Disable any  MD5-based HMAC Algorithms 

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from  aspl_env import getContextVariable try: test_data =  getContextVariable('ssh_server_to_client_mac') +  getContextVariable('ssh_client_to_server_mac') except KeyError: rule.STOP(False)  for item in test_data: if item.endswith('-96'): rule.STOP(True) elif 'md5' in  item: rule.STOP(True) rule.STOP(False) }

Info:

GOT:  'ssh_server_to_client_mac' = ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com',  'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96',  'hmac-md5-96']

GOT:  'ssh_client_to_server_mac' = ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com',  'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96',  'hmac-md5-96']

  • •2)       SSH RC4 Cipher Enabled

SOLUTION

Disable the arcfour (RC4) cipher.

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from  aspl_env import getContextVariable try: test_data =  getContextVariable('ssh_client_to_server_ciphers') +  getContextVariable('ssh_server_to_client_ciphers') except KeyError:  rule.STOP(False) if 'arcfour' in test_data: rule.STOP(True) rule.STOP(False)  }

Info:

GOT:  'ssh_client_to_server_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  'rijndael-cbc@lysator.liu.se']

GOT:  'ssh_server_to_client_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  'rijndael-cbc@lysator.liu.se']

  • •3)       CBC Mode Ciphers are enabled on the SSH Server

SOLUTION

Disable CBC Mode Ciphers and use CTR Mode  Ciphers

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from  aspl_env import getContextVariable try: test_data =  getContextVariable('ssh_client_to_server_ciphers') +  getContextVariable('ssh_server_to_client_ciphers') except KeyError:  rule.STOP(False) for item in test_data: if item.endswith('-cbc'):  rule.STOP(True) rule.STOP(False) }

Info:

GOT:  'ssh_client_to_server_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  'rijndael-cbc@lysator.liu.se']

GOT:  'ssh_server_to_client_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr',  'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc',  'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour',  'rijndael-cbc@lysator.liu.se']

Please advise

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mathew Huynh Tue, 07/16/2013 - 20:21

Hello Asim,

SSL protocols and ciphers advertised for incoming Graphical User Interface (GUI) connections can be configured with the sslconfig command the same for inbound and outbound connections

ironport.example.com> sslconfig

sslconfig settings:

  GUI HTTPS method:  sslv3

  GUI HTTPS ciphers: RC4-SHA

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit inbound SMTP ssl settings.

- OUTBOUND - Edit outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> gui

Enter the GUI HTTPS ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[2]> 2

Enter the GUI HTTPS ssl cipher you want to use.

[RC4-SHA]>

You can then change the Ciphers to the one you would prefer(require)

For HIGH cipher list ->

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> verify

Enter the ssl cipher you want to verify.

[]> RC4-SHA:RC4-MD5:HIGH

siraj23885 Mon, 08/12/2013 - 23:40

Hello All,

Are there any fixes for above mentioned vulnerabilities on cisco IOS for routers and Switches ?

I dont see any configurable options on cisco routers and switches so far but do let me know if there is anything that could be done to fix them.

Actions

Login or Register to take actions

This Discussion

Posted July 15, 2013 at 12:34 AM
Stats:
Replies:3 Overall Rating:
Views:2816 Votes:0
Shares:0
Tags: No tags.