topic Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211 in General Topics

Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

Bachan — Tue, 18 Jul 2023 18:15:59 GMT

Host : Management Server(SMS)

OS : R80.40

Port:8211

Vulnerability_ID :ssl-weak-message-authentication-code-algorithms

Vulnerability_NAME : TLS/SSL Weak Message Authentication Code Cipher Suites

Vulnerability_Proof: Negotiated with the following insecure cipher suites: * TLS 1.2 ciphers: * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA

Vulnerability_Solution: Disable any weak HMAC algorithms within the TLS configurationThe following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27; Chrome 22; IE 11; Opera 17 and Safari 9. SSLv2; SSLv3; TLSv1 and TLSv1.1 protocols are not recommended in this configuration. Instead use TLSv1.2 protocol.Refer to your server vendor documentation to apply the recommended cipher configuration:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SHA1:!DSS

Port 8211 uses TLS 1.2 .Attached file for reference.

We have checked the sshd.config file httpd all looks fine . Can you please let us know what needs to be tweaked here?

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

PhoneBoy — Tue, 18 Jul 2023 21:08:12 GMT

https://support.checkpoint.com/results/sk/sk168472

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

Bachan — Wed, 19 Jul 2023 09:25:09 GMT

As per the attached screen shot, we are already on TLS1.2, but still getting the above vulnerability on scan report.

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

PhoneBoy — Wed, 19 Jul 2023 17:13:17 GMT

Recommend engaging with the TAC: https://help.checkpoint.com

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

the_rock — Wed, 19 Jul 2023 17:19:44 GMT

I was going to suggest same sk as Phoneboy, but since you said its already on TLS 1.2, then best to contact TAC to verify.

Andy

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

the_rock — Wed, 19 Jul 2023 17:22:12 GMT

Can you confirm how below is set in global properties?

Andy

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

Bachan — Wed, 19 Jul 2023 17:24:07 GMT

Both are set to TLS 1.2 .

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

the_rock — Wed, 19 Jul 2023 17:25:32 GMT

Then I would say contact TAC, for sure.

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

the_rock — Wed, 19 Jul 2023 17:39:13 GMT

Please let us know what they say, as the answer can help others with the same issue.

Andy

Re: Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

Wei_Zhang — Mon, 25 Dec 2023 02:38:46 GMT

Kindly please refers to sk181683 and a hotfix is needed to disable the weak HMAC algorithms

https://support.checkpoint.com/results/sk/sk181683