This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bachan
Explorer
‎2023-07-18 11:15 AM
Jump to solution

Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

Host : Management Server(SMS)

OS : R80.40 

Port:8211

Vulnerability_ID :ssl-weak-message-authentication-code-algorithms

Vulnerability_NAME : TLS/SSL Weak Message Authentication Code Cipher Suites

Vulnerability_Proof: Negotiated with the following insecure cipher suites:     * TLS 1.2 ciphers:                                                                                    * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       * TLS_RSA_WITH_AES_128_CBC_SHA

Vulnerability_Solution: Disable any weak HMAC algorithms within the TLS configurationThe following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27; Chrome 22; IE 11; Opera 17 and Safari 9. SSLv2; SSLv3; TLSv1 and TLSv1.1 protocols are not recommended in this configuration. Instead use TLSv1.2 protocol.Refer to your server vendor documentation to apply the recommended cipher configuration:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SHA1:!DSS

Port 8211 uses TLS 1.2 .Attached file for reference.

 

We have checked the sshd.config file httpd all looks fine . Can you please let us know what needs to be tweaked here?

 

 

Preview file
53 KB
0 Kudos
1 Solution

Accepted Solutions
Wei_Zhang
Employee
Employee
‎2023-12-24 06:38 PM
Jump to solution

Kindly please refers to sk181683 and a hotfix is needed to disable the weak HMAC algorithms

https://support.checkpoint.com/results/sk/sk181683

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2023-07-18 02:08 PM
Jump to solution

https://support.checkpoint.com/results/sk/sk168472 

0 Kudos
Bachan
Explorer
‎2023-07-19 02:25 AM
In response to PhoneBoy
Jump to solution

As per the attached screen shot, we are already on TLS1.2, but still getting the above vulnerability on scan report.

Preview file
53 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-19 10:13 AM
In response to Bachan
Jump to solution

Recommend engaging with the TAC: https://help.checkpoint.com 

0 Kudos
the_rock
Legend
Legend
‎2023-07-19 10:19 AM
Jump to solution

I was going to suggest same sk as Phoneboy, but since you said its already on TLS 1.2, then best to contact TAC to verify.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-07-19 10:22 AM
Jump to solution

Can you confirm how below is set in global properties?

Andy

 

Screenshot_1.png

0 Kudos
Bachan
Explorer
‎2023-07-19 10:24 AM
In response to the_rock
Jump to solution

Both are set to TLS 1.2 .

0 Kudos
the_rock
Legend
Legend
‎2023-07-19 10:25 AM
In response to Bachan
Jump to solution

Then I would say contact TAC, for sure.

0 Kudos
the_rock
Legend
Legend
‎2023-07-19 10:39 AM
In response to Bachan
Jump to solution

Please let us know what they say, as the answer can help others with the same issue.

Andy

0 Kudos
Wei_Zhang
Employee
Employee
‎2023-12-24 06:38 PM
Jump to solution

Kindly please refers to sk181683 and a hotfix is needed to disable the weak HMAC algorithms

https://support.checkpoint.com/results/sk/sk181683

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events