HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue (1155 Views)
Reply
Visitor
DK79
Posts: 3
Registered: ‎11-01-2013
Message 1 of 7 (1,155 Views)

HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi all,

we have had a security test passed against our servers and got back result on some HP DL380 servers that they have the SSL Server Allows Anonymous Authentication Vulnerability issue on port 2381. We have found the only SSL capable application on port 2381 is the HP System Management Homepage. Does anyone of you have any idea how to fix this issue and what is the root cause? The version of HP System Management Homepage is 7.2.0.14 and there is an update to version 7.2.1.13. I want to  ask before I proceed with the update to get know if the update fix this or it is just configuration issue. Thanks for any reply.

Occasional Visitor
SDL-Admin
Posts: 2
Registered: ‎03-21-2014
Message 2 of 7 (941 Views)

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

The same for us ;-(

 

We have been informed by our information security team that our servers are failing scans due to "SSL Server Allows Anonymous Authentication Vulnerability".

 

Following additional information is provided:

 

Diagnosis:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack."

 

Solution: Disable support for anonymous authentication.

 

For Apache:

   Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

   SSLProtocol -ALL +SSLv3 +TLSv1

   SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

   SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

I am running SMH 7.3.0.9 (Win64) OpenSSL/1.0.1e PHP/5.5.2

 

Has anyone else run into this?

We would Appreciate any help!

 

Thanks,

SDL-Admin

Visitor
DK79
Posts: 3
Registered: ‎11-01-2013
Message 3 of 7 (933 Views)

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi,

 

we have already found a solution for this issue running the SMH on Windows. The think is to allow only SSL ciphers that does not allow anonymous key exchange. It is the “RC4” cipher for example.  You can read more about this in HP SMH documentation (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02779581-2.pdf

 

Our steps to get rid of this issue was following:

 

1) navigate to installation directory of HP SMH. Default is C:\hp\hpsmh\bin on Windows
2) Modify the SSL cipher suite by running command "smhconfig.exe -Z 'RC4-SHA'"
3) Restart the HP WEB server by running command "smhconfig.exe -r"

 

hope that helps

 

David

 

Occasional Visitor
SDL-Admin
Posts: 2
Registered: ‎03-21-2014
Message 4 of 7 (917 Views)

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi David,

 

Thanks for your explanation. Your three steps solved our vulnerability problem with HP SMH ;-)

 

BR,

Occasional Visitor
Rachamadagu
Posts: 1
Registered: ‎03-27-2014
Message 5 of 7 (894 Views)

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Qualys triggered SSL Server Allows Anonymous Authentication Vulnerability on 2381 port (QID- 38142) on Linux RHEL-5.9 server.  I see latest hpsmh version (Version:7.3.1-4 (18 Feb 2014) for Linux on HP website but I don't see this vulnerability fix is part of this package (no info on Release notes/Enhancement tab). Can you let me know before I upgrade hpsmh package to 7.3.1-4?

Occasional Advisor
sungminjin
Posts: 11
Registered: ‎12-06-2013
Message 6 of 7 (815 Views)

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

david..

do I need to log into each of my servers that has the hp system management homepage ? and run your 3 steps ? or is this only done on my HP SIM server ?

 

 

Thanks.

Visitor
DK79
Posts: 3
Registered: ‎11-01-2013
Message 7 of 7 (801 Views)

Re: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Hi, you have to run this on every server running HP System Management Homepage. You can use tool like PSExec to do the job if your environment is same or run more complex script if not.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.