Nessus Scan shows medium & Low severity security issue with Access Manager 3.2 Access Gateway

  • 7010833
  • 26-Sep-2012
  • 09-Sep-2013

Environment

NetIQ Access Manager 3.2
Nessus Security Scan run against Access Gateway component

Situation

As part of a security benchmark, a Nessus Security Scan was run against Access Manager components and the following medium security issue was generated against the Access Gateway:

SSL Anonymous Cipher Suites Supported (Plugin ID: 31705) Risk Factor: CVE : CVE-2007-1858 Medium/ CVSS Base Score: 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C) Solution: 
Reconfigure the affected application if possible to avoid use of weak ciphers.

Resolution

Disable the ciphers using the anonymous Diffie-Hellman key exchange by changing the "Advanced Options" tab for the proxy in iManager. This option can be done Globally or per proxy service via the  Devices->Access Gateways->Configuration Edit->Content Settings/Advanced Option (Globally) or through Servers->Configuration-><service name>->Advanced Options (per proxy service). The new directive should look like::

SSLCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
SSLProxyCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH

The !ADH will also be added to the 3.2 SP1 code base by default to disable the ciphers with the anonymous Diffie-Hellman key exchange.  This link at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite describes more info on these setting options.

Cause

SSLCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
SSLProxyCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH