TPAM Vulnerability

We have scan our TPAM appliance and found this vulnerability  please suggest how to fix this vulnerability 

Vulnerability :-

  • Unsecure Encryption Protocols Detected.
  • Deprecated SSH Cryptographic Settings.

 

Solution :-

  • Disable insecure protocols and use TLS V1.2 or above with secured cipher suites.
  • Update SSH Cryptographic Settings.
  • Hi Joshan

    You do not mention which release of the TPAM application code you are running.

    In later versions you can disable the less secure TLS versions.

    If you had checked the TPAM Knowledge base and entered TLS as a search string you would have found KB212744 "TLS 1.0 Vulnerability in TPAM".that was originally created back in 2016.

    This discusses TLS versions that are supported and suggests a workaround and covers both the TPAM appliance and the DPA's.

    You will also find other articles that discuss using TLS with TPAM as well as a lot of other very useful information.

    It is also work remembering that the 2.5.919 release mentioned in this KB is no longer supported so if you are running this or an earlier version you will need to update to one of the supported versions.

    Best regards

    Tim

  • KB212744

    Dear  Tim Westcott,

    My tpam version is 2.5.919 ok i will upgrade to the latest version 

    But what about this vulnerability how we can fixed SSH Vulnerability 

    CVE-2015-4000

    Regards,

    Joshan 

  • Hi Joshan

    TPAM code 2.5.923 is using OpenSSH 7.4p1 while with your present release you may still be running OpenSSH 7.2.

    I would update your appliance to the latest code release first and then re-scan.

    You can only patch a TPAM appliance vir a PARPAck provided by One Identity. There is no other way to add/update any software on the TPAM appliance.

    If your scan still shows an issue after patching you will need to contact One Identity Support and log a case with them for resolution.

    Also if you are using DPA V3 you will need to upgrade these to V4 release to use the newer SSH ciphers.

    You cannot upgrade hardware based V3 DPA's to V4.

    Virtual DPA's can be downloaded and deployed to match the number of physical DPA's you have.

    If you require physical DPA's then you need to contact your One Identity account manager as these are not a FoC upgrade.

    Best regards

    Tim