Vulnerability assessment on the Ironport Device ESA

Asim Afzal · ‎07-15-2013

HI

There is penertation test done on ESA and below is detail

•1) SSH Insecure HMAC Algorithms Enabled

SOLUTION

Disable any 96-bit HMAC Algorithms.-------------- how we can disable this in ironport email

Disable any MD5-based HMAC Algorithms

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from aspl_env import getContextVariable try: test_data = getContextVariable('ssh_server_to_client_mac') + getContextVariable('ssh_client_to_server_mac') except KeyError: rule.STOP(False) for item in test_data: if item.endswith('-96'): rule.STOP(True) elif 'md5' in item: rule.STOP(True) rule.STOP(False) }

Info:

GOT: 'ssh_server_to_client_mac' = ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']

GOT: 'ssh_client_to_server_mac' = ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']

•2) SSH RC4 Cipher Enabled

SOLUTION

Disable the arcfour (RC4) cipher.

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from aspl_env import getContextVariable try: test_data = getContextVariable('ssh_client_to_server_ciphers') + getContextVariable('ssh_server_to_client_ciphers') except KeyError: rule.STOP(False) if 'arcfour' in test_data: rule.STOP(True) rule.STOP(False) }

Info:

GOT: 'ssh_client_to_server_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

GOT: 'ssh_server_to_client_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

•3) CBC Mode Ciphers are enabled on the SSH Server

SOLUTION

Disable CBC Mode Ciphers and use CTR Mode Ciphers

-------------- how we can disable this in ironport email

Rule:

EXECUTE { from aspl_env import getContextVariable try: test_data = getContextVariable('ssh_client_to_server_ciphers') + getContextVariable('ssh_server_to_client_ciphers') except KeyError: rule.STOP(False) for item in test_data: if item.endswith('-cbc'): rule.STOP(True) rule.STOP(False) }

Info:

GOT: 'ssh_client_to_server_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

GOT: 'ssh_server_to_client_ciphers' = ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

Please advise

Mathew Huynh · ‎07-16-2013

Hello Asim,

SSL protocols and ciphers advertised for incoming Graphical User Interface (GUI) connections can be configured with the sslconfig command the same for inbound and outbound connections

ironport.example.com> sslconfig

sslconfig settings:

GUI HTTPS method: sslv3

GUI HTTPS ciphers: RC4-SHA

Inbound SMTP method: sslv3tlsv1

Inbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

Outbound SMTP method: sslv3tlsv1

Outbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit inbound SMTP ssl settings.

- OUTBOUND - Edit outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> gui

Enter the GUI HTTPS ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[2]> 2

Enter the GUI HTTPS ssl cipher you want to use.

[RC4-SHA]>

You can then change the Ciphers to the one you would prefer(require)

For HIGH cipher list ->

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> verify

Enter the ssl cipher you want to verify.

[]> RC4-SHA:RC4-MD5:HIGH

Gulam Siraj Arab · ‎08-12-2013

Hello All,

Are there any fixes for above mentioned vulnerabilities on cisco IOS for routers and Switches ?

I dont see any configurable options on cisco routers and switches so far but do let me know if there is anything that could be done to fix them.

Valter Da Costa · ‎08-13-2013

Gulam,

This forum is dedicated to Cisco ESA (Email Security Appliance). I would kindly sugges you to post this question in the appropriate forum.

I did some research and I believe the forum is located here

https://supportforums.cisco.com/community/netpro/network-infrastructure/routing

I hope this helps.

-Valter

technics614 · ‎10-26-2016

I realize this post is three years old but is one of few regarding SSH ciphers. Why is it that it is mentioned to change SSL GUI settings to fix SSH ciphers? Can SSH Ciphers be disabled through SSHD config via ESA CLI?

Mathew Huynh · ‎10-26-2016

Hello,

You may choose which ciphers the ESA will use for SSH (CLI) access; whichever is defined will be the ciphers used from my knowledge- all others are disabled(inactive).

Regards,

Mathew