01-04-2017 06:04 AM
I have recently upgraded two NBU 5230 Appliances to version 3.0. After the successful upgrade, I performed a Nessus scan against the appliances and received 3 Medium level alerts consisting of a total of 6 vulnerabilities. They are all related to certificates (self-signed, wrong hostname, and support for medium level cipher suites). Is there a way to create a certificate request for these ports/services so that I can generate, issue and apply a legitimately signed certificate? Below is the output from my Nessus scan:
**** SSL Self-Signed Certificate
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Output
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : O=xxxx-backup-x.xxxx.main/OU=VxOS/CN=xxxx-backup-x.xxxx.main
Port 443 / tcp / www
Hosts xxxx-backup-x
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : O=nb-appliance/OU=NetBackup/CN=nb-appliance
Port 8443 / tcp / www
Hosts xxxx-backup-x
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : CN=nbatd/OU=root@xxxx-backup-x.vacu.main/O=vx
Port 13783 / tcp
Hosts xxxx-backup-x
******
**** SSL Certificate with Wrong Hostname
Description
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Solution
Purchase or generate a proper certificate for this service.
Output
The identities known by Nessus are :
xxxx-backup-x.xxxx.main
xxxx-backup-x
The Common Name in the certificate is :
nb-appliance
Port 8443 / tcp / www
Hosts xxxx-backup-x
The identities known by Nessus are :
xxxx-backup-x.xxxx.main
xxxx-backup-x
The Common Name in the certificate is :
broker
Port 13783 / tcp
Hosts xxxx-backup-x
******
**** SSL Medium Strength Cipher Suites Supported
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 56 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Output
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (> 64-bit and < 112-bit key)
TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Port 13783 / tcp
Hosts xxxx-backup-x
01-23-2017 01:48 PM
I went through this recently - this worked for me: SHA2 self-signed cert