KB Article #178692

CVE-2013-2566 for port 8081 (Core_services)

Problem

In CG 1.1.3, there is still the use of RC4 algorithm for the communication for port 8081.

https://nvd.nist.gov/vuln/detail/CVE-2013-2566


RC4 is no more secure and should be excluded in the cipher suites.


FYI, 8081 is only internal used and requires mutual authentication.


The only connection is done with Passport CG (sso), So there is no risk of external attack.


Tool used to check the cipher suites is nmap with a scpecific script "ssl-enum-ciphers" https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.h...


By default CG are using these algorithms for port 8081:



nmap --script ssl-enum-ciphers -p 8081 localhost



Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-20 16:44 CEST
Nmap scan report for localhost (127.0.0.1)Host is up (0.000083s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
8081/tcp open blackice-icecap
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds



As you can see, indeed there is an RC4 vulnerabitily.


Resolution


1/ The cipher suites using RC4 will be excluded starting from CG 1.1.3 SP1 (30th June)


2/ A workaround:

In the configuration file CentralGovernance/runtime/com.axway.nodes.ume_XXXXXX/conf/com.axway.cmp.web.cfg
Change the following.org.ops4j.pax.web.ssl.ciphersuites.excluded=SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
and the new one will be:org.ops4j.pax.web.ssl.ciphersuites.excluded=SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA



Results:
[benji@ecosystem Benji_Tools]$ nmap --script ssl-enum-ciphers -p 8081 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-21 10:19 CEST
Nmap scan report for localhost (127.0.0.1)Host is up (0.00013s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
8081/tcp open blackice-icecap
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp160k1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
|_ least strength: A


So no more RC4 algorithms used.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.