KB Article #176651

scanning Copilot server using "Symantec CCSVM" reports 2 vulnerabilities

Problem

--scanning Copilot server using "Symantec CCSVM" reports 2 vulnerabilities

1. Undefined CVE, Click Jacking:
Running HTTPS serviceHTTP request to https://MyCopilotHost:1766/
HTTP response code was an expected 200
HTTP header 'X-Frame-Options' not present
HTTP header 'X-Frame-Options' not present
Recommended solution by the scanner:
Use HTTP X-Frame-Options
Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

2. Undefined CVE, TLS/SSL Server
Negotiated with the following insecure cipher suites. SSLv3
ciphers: SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_SHA
Recommended solution by the scanner:
Refer to your server vendor documentation to apply the recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHEECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-
SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCMSHA384:
AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK




Resolution


The reported vulnerabilities are not affecting Copilot server in any way:

1) X-Frame-Options that instruct the browser to restrict framing where it is not allowed is not use because the browser session is only used to instance the Copilot Java Applet.
  •       The browser session is handled by a Copsproc processes.
  •       Existing browser sessions (sessions handled by Copsproc) will timeout as the browser is not used for the Copilot application.
  •      The browser session is not in session with any other application server on the system.

2) About the unsecured cipher suites accepted by the Copilot server:
  •     A UCONF parameter "copilot.ssl.SslCipherSuites", which lets a user specify the cipher suites that the Copilot server accepts.
  •     It is available since the 2.7.1 SP9
  •     For backwards compatibility reasons, insecure ciphers are accepted by default: I:E using a "NULL" cipher still allow to be connected to the Navigator server (unless the UCONF parameter above is set)

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.