The first network security scan on our Netvanta 3448 failed the PCI DSS Compliance requirements. Firmware reports version 18.03.01.00, device part number is 1200821E1 and we have about 20 of these devices configured the same way so if we can fix one, we can fix them all. I have disabled SNMP, FTP, SFTP, Telnet, HTTP and enabled HTTPS TLSv3. No secure copy server. Only access to unit configured is HTTPS port 443 and SSH port 22.
Compliance failures are listed below:
THREAT:
The remote service supports the use of weak and medium SSL ciphers.
RESULT:
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (<= 64-bit key)
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1, etc.
I FIXED THIS by removing the weak and medium SSL cipher entries.
no http secure-ciphersuite des-cbc-sha and so on. there were six I needed to get rid of.
THREAT:
The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
SOLUTION:
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
RESULT:
Vulnerable connection combinations :
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_DES_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : SSLv3
Cipher suite : TLS1_CK_DHE_RSA_WITH_DES_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : SSLv3
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : SSLv3
Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : SSLv3
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Logjam attack difficulty : Hard (would require nation-state resources)
I have seen references for Diffie-Hellman group 1 or 2 but don't see anywhere to change Diffie-Hellman settings, add a group or ???.
I'm really lost on this one. Since I disabled HTTP and enabled HTTPS TLSv3 will this go away? I used this command:
KNXAH(config)#http secure-server
THREAT:
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
RESULT:
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : C=US/ST=AL/L=Huntsville/O=ADTRAN, Inc./CN=NetVanta/E=tech.support@adtran.com
SOLUTION:
Purchase or generate a proper certificate for this service.
IMPACT:
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL
as anyone could establish a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
I'm at a total loss here on what to do. Can we buy a certificate and load it on the 3448? Does Adtran have an actual certificate authority that is recognized?
THREAT:
It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
SOLUTION:
Disable SSLv3.
Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.
IMPACT:
The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles
padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly
created SSL 3.0 connections.
As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.
RESULT:
Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.
It appears that TLSv1 or newer is supported on the server. However, the
Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.
Again I'm at a loss to where this can be accomplished.
These are the major issues with our PCI Compliance. I believe if we can fix these I can figure out the rest - or make another post.
Thank YOU for ANY help with these problems.
John Michael
P.S. I DID a security Scan on the unit through the GUI and here are the results:
LOW Banner Login/Exec banner not set
MEDIUM Logging Not enabled
LOW Enable Password MD5 encryption is not enabled
HIGH Policy-Class Interfaces using default policy-class
MEDIUM Password Service password encryption not enabled
HIGH Password Weak Passwords
HIGH Password Duplicate Passwords
HIGH Session Timeout Console timeout >= 15 minutes
HIGH Session Timeout SSH 0 timeout >= 15 minutes
HIGH Session Timeout SSH 1 timeout >= 15 minutes
HIGH Session Timeout SSH 2 timeout >= 15 minutes
HIGH Session Timeout SSH 3 timeout >= 15 minutes
HIGH Session Timeout SSH 4 timeout >= 15 minutes
--------------------------------------------------------------------------------
**DETAIL**
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
BANNER:
--------------------------------------------------------------------------------
* Neither a login or exec banner has been set. This is not a security risk.
However, it is recommended that a banner be displayed when a user attempts to
login. This banner will warn of the legal consequences of gaining unauthorized
access to the unit.
Banner Example:
Unauthorized access prohibited.
Authorized access only.
User logins are monitored and unauthorized access will result in criminal
prosecution. This system is the property of [YOUR COMPANY NAME]
Disconnect IMMEDIATELY if you are not an authorized user!
--------------------------------------------------------------------------------
LOGGING:
--------------------------------------------------------------------------------
* Neither Syslog, or TACACs+ accounting have been enabled. For security
reasons user login activity should be logged.
--------------------------------------------------------------------------------
ENABLE PASSWORD:
-----------------------------------------------------------------------------
* The enable password is not set for MD5 encryption. MD5 encryption is more
secure than standard password encryption.
--------------------------------------------------------------------------------
POLICY-CLASS:
--------------------------------------------------------------------------------
* The following interfaces are enabled but do not have a policy-class
assigned. Not having a policy-class assigned will leave the interface open to
attack.
* tunnel 25
--------------------------------------------------------------------------------
PASSWORDS / KEYS:
--------------------------------------------------------------------------------
* Service password encryption is not enabled.
* Passwords should be at least 7 characters and have both alphabetic and
numeric characters. Some passwords are considered weak if they match default
passwords or contain common sequences. For example Qwerty123 is considered a
weak password even though it contains both numeric and alphabetic characters.
The following weak passwords were found:
* pgftn
* interbella
* Each user should have a unique password. The following passwords
are duplicated:
* pgftn
--------------------------------------------------------------------------------
SESSION TIMEOUT:
--------------------------------------------------------------------------------
* The following sessions have timeout values of 15 minutes or greater. Long
session timeouts may allow your system to be compromised. To increase
security, set the timeout value to less than 15 minutes.
* Console
* SSH 0
* SSH 1
* SSH 2
* SSH 3
* SSH 4
I can address these but I don't think they have anything to do with the other threats.
Message was edited by: JOHN MICHAEL