Management Software

Reply
Contributor
Posts: 23
Registered: ‎03-08-2007

BNA RC4

Brocade Security Advisory ID:BSA-2015-007
 
states BNA is effected by CVE-2015-2808: and the current assessment is to disable RC4 related cipher in cipher list
to remove the vulnerability.
 
Can anyone tell me the procedure to do this please
 
thankyou
Martin
Brocadian
Posts: 88
Registered: ‎06-29-2015

Re: BNA RC4

One method is to edit jboss/standalone/configuration/standalone-dcm.xml. Find the line starting with "<ssl name="dcmserverstore".

 

Add something like this before the closing tag: 

 

cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA"

 

Then restart BNA. That will limit the allowed ciphers to only those shown. This may cause issues with browser support. If you're running up to date browsers, you'll be OK. If you're running older client OSes/browsers, you'll have problems (but then you've got lots of other problems anyway)

 

There's a few notes on jboss config here: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-6.4/how-to-configure-server-security#ssl_connector_reference

Contributor
Posts: 23
Registered: ‎03-08-2007

Re: BNA RC4

Hi Lindsay

 

the ibm security vulnerability page  (http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005391) says CVE-2015-2808 is fixed in version 12.4.2

 

so i installed network advisor 12.4.2 and reran nessus scan but the vulnerability is still detected

 

i applied the fix you mentioned on the 12.4..2 code (hopefully did this correctly !) and restarted the server and then reran the nessus scan and the vulnerability is still identified

 

 

 

 

<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="${jboss.web.https.port:8443}"/>
            <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
                <ssl name="dcmserverstore" key-alias="dcmserver" password="${javax.net.ssl.keyStorePassword}" certificate-key-file="${dcm.home.dir}/conf/security/keystore.jks" 
cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
 />
            </connector>
            <virtual-server name="default-host" enable-welcome-root="false">
                <alias name="localhost"/>
                <alias name="dcm-server"/>
            </virtual-server>
        </subsystem>

 is there something i haven't done correctly ?

 

cheers

Martin

Brocadian
Posts: 88
Registered: ‎06-29-2015

Re: BNA RC4

My understanding is that one fix for the issue is to upgrade the JRE to 1.7u85. That changes the default allowed ciphers to remove RC4. (You can still go and explicitly enable it). But the default Brocade BNA 12.4.2 ships with JRE 1.7u80. The IBM version may be modified - either to change the JRE, or to change the configuration.

 

I just ran some tests with my lab system. This is a fairly vanilla Brocade version 12.4.2 install. With default settings, I used sslscan to check the allowed ciphers. I got this result:

lhill@ubuntu:~$ sslscan --tls1 192.168.166.148:443|grep Accepted
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
lhill@ubuntu:~$

I then made these changes to standalone-dcm.xml:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="dcmserverstore" key-alias="dcmserver" password="${javax.net.ssl.keyStorePassword}" certificate-key-file="${dcm.home.dir}/conf/security/keystore.jks" cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA"/>
</connector>

(Note I've added an extra cipher in there for AES256/SHA).

 

I then re-started BNA, and re-ran the sslscan tests:

lhill@ubuntu:~$ sslscan --tls1 192.168.166.148:443|grep Accepted
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
lhill@ubuntu:~$

So no more RC4 in there. You can also test this with a one-off test with OpenSSL:

 

lhill$ openssl s_client -cipher "RC4-SHA" -connect 192.168.166.148:443
CONNECTED(00000003)
10036:error:14077410Smiley FrustratedSL routinesSmiley FrustratedSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:
lhill$

(I didn't show it here, but that test succeeded prior to making the config changes)

 

What ciphers does Nessus report BNA is running?

 

 

 

Contributor
Posts: 23
Registered: ‎03-08-2007

Re: BNA RC4

Lindsay

 

thankyou for your reply as this has helped me resolve my issue

i used your post to show the rc4 alerts were resolved having applied your fix. What my scan also picked up on was rc4 alerts for terminal services which the windows team here have now resolved

 

many thanks

 

Martin

Brocadian
Posts: 88
Registered: ‎06-29-2015

Re: BNA RC4

Good to hear. Thanks for following up.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.