Environment
NetIQ Access Manager 3.2
Nessus Security Scan run against Access Gateway component
Nessus Security Scan run against Access Gateway component
Situation
As part of a security benchmark, a Nessus Security Scan was run against Access Manager components and the following medium security issue was generated against the Access Gateway:
SSL Anonymous Cipher Suites Supported (Plugin ID: 31705) Risk Factor: CVE : CVE-2007-1858 Medium/ CVSS Base Score: 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C) Solution: Reconfigure the affected application if possible to avoid use of weak ciphers.
SSL Anonymous Cipher Suites Supported (Plugin ID: 31705) Risk Factor: CVE : CVE-2007-1858 Medium/ CVSS Base Score: 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C) Solution: Reconfigure the affected application if possible to avoid use of weak ciphers.
Resolution
Disable the ciphers using the anonymous Diffie-Hellman key exchange by changing the "Advanced Options" tab for the proxy in iManager. This option can be done Globally or per proxy service via the Devices->Access Gateways->Configuration Edit->Content Settings/Advanced Option (Globally) or through Servers->Configuration-><service name>->Advanced Options (per proxy service). The new directive should look like::
SSLCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
SSLProxyCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
The !ADH will also be added to the 3.2 SP1 code base by default to disable the ciphers with the anonymous Diffie-Hellman key exchange. This link at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite describes more info on these setting options.
SSLCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
SSLProxyCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
The !ADH will also be added to the 3.2 SP1 code base by default to disable the ciphers with the anonymous Diffie-Hellman key exchange. This link at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite describes more info on these setting options.
Cause
SSLCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
SSLProxyCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH
SSLProxyCipherSuite SSLV3:TLSv1:!NULL:+HIGH:-EXPORT40:-EXPORT56:-MEDIUM:-LOW:!ADH