11-01-2013 07:02 AM
we have had a security test passed against our servers and got back result on some HP DL380 servers that they have the SSL Server Allows Anonymous Authentication Vulnerability issue on port 2381. We have found the only SSL capable application on port 2381 is the HP System Management Homepage. Does anyone of you have any idea how to fix this issue and what is the root cause? The version of HP System Management Homepage is 220.127.116.11 and there is an update to version 18.104.22.168. I want to ask before I proceed with the update to get know if the update fix this or it is just configuration issue. Thanks for any reply.
03-21-2014 05:58 AM
The same for us ;-(
We have been informed by our information security team that our servers are failing scans due to "SSL Server Allows Anonymous Authentication Vulnerability".
Following additional information is provided:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.
A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack."
Solution: Disable support for anonymous authentication.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):
I am running SMH 22.214.171.124 (Win64) OpenSSL/1.0.1e PHP/5.5.2
Has anyone else run into this?
We would Appreciate any help!
03-24-2014 01:27 AM
we have already found a solution for this issue running the SMH on Windows. The think is to allow only SSL ciphers that does not allow anonymous key exchange. It is the “RC4” cipher for example. You can read more about this in HP SMH documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na
Our steps to get rid of this issue was following:
1) navigate to installation directory of HP SMH. Default is C:\hp\hpsmh\bin on Windows
2) Modify the SSL cipher suite by running command "smhconfig.exe -Z 'RC4-SHA'"
3) Restart the HP WEB server by running command "smhconfig.exe -r"
hope that helps
03-25-2014 11:39 PM
Thanks for your explanation. Your three steps solved our vulnerability problem with HP SMH ;-)
03-27-2014 11:19 AM
Qualys triggered SSL Server Allows Anonymous Authentication Vulnerability on 2381 port (QID- 38142) on Linux RHEL-5.9 server. I see latest hpsmh version (Version:7.3.1-4 (18 Feb 2014) for Linux on HP website but I don't see this vulnerability fix is part of this package (no info on Release notes/Enhancement tab). Can you let me know before I upgrade hpsmh package to 7.3.1-4?
04-11-2014 01:03 PM
do I need to log into each of my servers that has the hp system management homepage ? and run your 3 steps ? or is this only done on my HP SIM server ?
04-13-2014 10:33 AM
Hi, you have to run this on every server running HP System Management Homepage. You can use tool like PSExec to do the job if your environment is same or run more complex script if not.