PDA

View Full Version : PCI Vulnerability Assessment Report UTM-1 Total Security 570



armando.ferreira
2009-09-12, 11:02
My PCI Vulnerability Assessment Report detect an SSL Server supports weak encryption vulnerability on my UTM-1 Total Security 570.
Generic solution is to disable support for LOW encryption ciphers.

Apache
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol –ALL +SSLv3 + TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+ME DIUM
For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+ME DIUM

Tomcat
sslProtocol=”SSLv3”
ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4 _128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA”

Which is the best solution for my R70 UTM-1 Total Security 570 or how can I disable SSLv2.

Thank you in advance,
Armando

tomama
2009-09-12, 15:41
From the Check Point forum:

" Current versions of SecurePlatform actually do use SSLv3. They allow connection setup with SSLv2, but if the connection doesn't end up SSLv3, they close it.

This is a workaround to allow the transitional form of SSLv3 as used by Internet Explorer. Essentially, it involves starting the proposal as SSLv2 with a flag that says "I also support SSLv3". The server then gets the choice of whether to continue with SSLv2 or switch to SSLv3.

Admittedly, this is a gross oversimplification, but to test it, go into your browser's preferences and disable SSLv3, leaving only SSLv2. To do this on Internet Explorer, uncheck "Use SSL 3.0" under 'Tools > Internet Options...> Advanced > Security'. Attempt to connect to the SecurePlatform web UI. On R60 and above, it should "work", but not go anywhere and you'll be disconnected.

This causes a lot of false positives for things like Nessus, since we will actually allow a purely SSLv2 connection, we just won't send anything over it."

https://forums.checkpoint.com/forums/thread.jspa?messageID=13432

boldin
2009-09-12, 18:59
This is also a pretty common topic on other web servers. Things like Nessus and Qualys will pick it up and then you would typically have to document that it is not allowed for the audit trail.

One problem lies in that most web servers are set up this way, at least at my organization, and it requires a lot of extra work on the part of the security team to test each site and document findings.

I'm pushing to have this test and documentation portion of the work done by the web guru group and offload it from security. At this time, we have got support for this when the project is completed and the system goes live, but if a vuln pops after the project is live and it is in maintenance mode so to speak, it typically falls on security.

armando.ferreira
2009-09-13, 13:52
Thank you, Boldin and Tomama.
I still have a report from an "Approved Scanning Vender", and I have to pay a lot for this quarterly reports, that says "PCI FAILED" on my CheckPoint UTM-1 Total Security 570. Now, on the next visit of visa/mastercard auditor, I know for sure, he/she will ask for that report and is going to pick that "non compliance". Is there a workaround to disable weak chipers like DES. Some editing on mod_ssl, httpd_conf or ssl.conf if they exist on SPLAT?

boldin
2009-09-13, 17:47
Please see this thread (http://www.cpug.org/forums/ssl-network-extender/3745-sslv2-vulnerability.html).

No answers for you on disabling it, but you are in the same boat as many others.

Pneuma
2010-08-24, 07:55
Resurection Apology:

I have successfully disabled weak crypto and sslv2 by putting the following options in the ssl.conf dir in /opt/CPIntegrity/apache2/conf/ssl.conf:

!SSLv2:!EXPORT40

This has allowed our PCI report to bypass the Weak Crypto's error, but I am still in the same boat regarding TomCat.

Note: this does not survive hotfixes, HFAs and upgrades obviously!

I will be labbing a server and using Tomcat's newer binaries to overwrite the ones that come with R71, will feedback if I have any luck.

hotice_
2010-08-24, 09:58
Resurection Apology:

I have successfully disabled weak crypto and sslv2 by putting the following options in the ssl.conf dir in /opt/CPIntegrity/apache2/conf/ssl.conf:

!SSLv2:!EXPORT40

This has allowed our PCI report to bypass the Weak Crypto's error, but I am still in the same boat regarding TomCat.

Note: this does not survive hotfixes, HFAs and upgrades obviously!

I will be labbing a server and using Tomcat's newer binaries to overwrite the ones that come with R71, will feedback if I have any luck.

This is actually very good stuff. I'll try it in our lab and have a tool scan.

Thanks

Pneuma
2010-08-25, 03:51
This is actually very good stuff. I'll try it in our lab and have a tool scan.

Thanks
Sorry I forgot to mention you must disable the LOW and NULL crypto's too, and I'd also suggest disabling MEDIUM if you want to be pedantic.

So in the end my firewalls config is something like:

SSLCipherSuite !ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:!MEDIUM:!LO W:!SSLv2:!EXP:!eNULL

A quick and simple tool to test the Ciphers is a tool I found on the below website, it's a perl script you simply put your servers address and optional port number on the command line and it returns the cipher details to you.

Unspecific.com (http://www.unspecific.com/ssl/)