0 Replies Latest reply on Nov 8, 2018 9:38 AM by jmichael26

    Netvanta 3448 Diffie-Hellman 1024 PCI Compliance failed

    jmichael26 New Member

      The first network security scan on our Netvanta 3448 failed the PCI DSS Compliance requirements. Firmware reports version 18.03.01.00, device part number is 1200821E1 and we have about 20 of these devices configured the same way so if we can fix one, we can fix them all. I have disabled SNMP, FTP, SFTP, Telnet, HTTP and enabled HTTPS TLSv3. No secure copy server. Only access to unit configured is HTTPS port 443 and SSH port 22.

      Compliance failures are listed below:

       

      THREAT:

      The remote service supports the use of weak and medium SSL ciphers.

      RESULT:

      Here is the list of weak SSL ciphers supported by the remote server :

      Low Strength Ciphers (<= 64-bit key)

      EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

      DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1, etc.

       

      I FIXED THIS by removing the weak and medium SSL cipher entries.

      no http secure-ciphersuite des-cbc-sha    and so on.  there were six I needed to get rid of.

       

       

       

      THREAT:

      The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.

       

      SOLUTION:

      Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

       

      RESULT:

      Vulnerable connection combinations :

      SSL/TLS version : TLSv1.0

      Cipher suite : TLS1_CK_DHE_RSA_WITH_DES_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : TLSv1.0

      Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : TLSv1.0

      Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : TLSv1.0

      Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : SSLv3

      Cipher suite : TLS1_CK_DHE_RSA_WITH_DES_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : SSLv3

      Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : SSLv3

      Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

      SSL/TLS version : SSLv3

      Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA

      Diffie-Hellman MODP size (bits) : 1024

      Logjam attack difficulty : Hard (would require nation-state resources)

       

      I have seen references for Diffie-Hellman group 1 or 2 but don't see anywhere to change Diffie-Hellman settings, add a group or ???.

      I'm really lost on this one. Since I disabled HTTP and enabled HTTPS TLSv3 will this go away? I used this command:

       

      KNXAH(config)#http secure-server

       

       

      THREAT:

      The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

       

      RESULT:

      The following certificate was found at the top of the certificate

      chain sent by the remote host, but is self-signed and was not

      found in the list of known certificate authorities :

      |-Subject : C=US/ST=AL/L=Huntsville/O=ADTRAN, Inc./CN=NetVanta/E=tech.support@adtran.com

      SOLUTION:

      Purchase or generate a proper certificate for this service.

      IMPACT:

      The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL

      as anyone could establish a man-in-the-middle attack against the remote host.

      Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

       

      I'm at a total loss here on what to do. Can we buy a certificate and load it on the 3448? Does Adtran have an actual certificate authority that is recognized?

       

       

      THREAT:

      It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

       

      SOLUTION:

      Disable SSLv3.

      Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.

      IMPACT:

      The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles

      padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode.

      MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly

      created SSL 3.0 connections.

      As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.

       

      RESULT:

      Nessus determined that the remote server supports SSLv3 with at least one CBC

      cipher suite, indicating that this server is vulnerable.

      It appears that TLSv1 or newer is supported on the server. However, the

      Fallback SCSV mechanism is not supported, allowing connections to be "rolled

      back" to SSLv3.

       

      Again I'm at a loss to where this can be accomplished.

       

      These are the major issues with our PCI Compliance. I believe if we can fix these I can figure out the rest - or make another post.

      Thank YOU for ANY help with these problems.

       

      John Michael

       

      P.S. I DID a security Scan on the unit through the GUI and here are the results:

      LOW               Banner  Login/Exec banner not set               
      MEDIUM            Logging  Not enabled                    
      LOW               Enable Password  MD5 encryption is not enabled           
      HIGH              Policy-Class  Interfaces using default policy-class   
      MEDIUM            Password  Service password encryption not enabled 
      HIGH              Password  Weak Passwords                    
      HIGH              Password  Duplicate Passwords                    
      HIGH              Session Timeout  Console timeout >= 15 minutes           
      HIGH              Session Timeout  SSH 0 timeout >= 15 minutes             
      HIGH              Session Timeout  SSH 1 timeout >= 15 minutes             
      HIGH              Session Timeout  SSH 2 timeout >= 15 minutes             
      HIGH              Session Timeout  SSH 3 timeout >= 15 minutes             
      HIGH              Session Timeout  SSH 4 timeout >= 15 minutes             

      --------------------------------------------------------------------------------

      **DETAIL**

      --------------------------------------------------------------------------------
      --------------------------------------------------------------------------------

      BANNER:
      --------------------------------------------------------------------------------
      * Neither a login or exec banner has been set. This is not a security risk.
      However, it is recommended that a banner be displayed when a user attempts to
      login. This banner will warn of the legal consequences of gaining unauthorized
      access to the unit.
      Banner Example:

            Unauthorized access prohibited.
            Authorized access only.
            User logins are monitored and unauthorized access will result in criminal
            prosecution. This system is the property of [YOUR COMPANY NAME]
            Disconnect IMMEDIATELY if you are not an authorized user!
      --------------------------------------------------------------------------------

      LOGGING:
      --------------------------------------------------------------------------------
      * Neither Syslog, or TACACs+ accounting have been enabled. For security
      reasons user login activity should be logged.
      --------------------------------------------------------------------------------

      ENABLE PASSWORD:
      -----------------------------------------------------------------------------
      * The enable password is not set for MD5 encryption. MD5 encryption is more 
      secure than standard password encryption.                                   
      --------------------------------------------------------------------------------

      POLICY-CLASS:
      --------------------------------------------------------------------------------
      * The following interfaces are enabled but do not have a policy-class
      assigned. Not having a policy-class assigned will leave the interface open to
      attack.

        * tunnel 25
      --------------------------------------------------------------------------------

      PASSWORDS / KEYS:
      --------------------------------------------------------------------------------
      * Service password encryption is not enabled.
      * Passwords should be at least 7 characters and have both alphabetic and
      numeric characters. Some passwords are considered weak if they match default
      passwords or contain common sequences. For example Qwerty123 is considered a
      weak password even though it contains both numeric and alphabetic characters.
      The following weak passwords were found:

         * pgftn
         * interbella

      * Each user should have a unique password. The following passwords
      are duplicated:

         * pgftn

      --------------------------------------------------------------------------------

      SESSION TIMEOUT:
      --------------------------------------------------------------------------------
      * The following sessions have timeout values of 15 minutes or greater. Long
      session timeouts may allow your system to be compromised. To increase
      security, set the timeout value to less than 15 minutes.   

        * Console
        * SSH 0
        * SSH 1
        * SSH 2
        * SSH 3
        * SSH 4

       

      I can address these but I don't think they have anything to do with the other threats.

       

      Message was edited by: JOHN MICHAEL