TPAM APPLIANCE VULNERABILITIES ISSUE

Hello All,

We have scanned a device and found below vulnerabilities:-

Severe Vulnerabilities

  1. SSH Server Supports diffie-hellman-group1-sha1 (ssh-cve-2015-4000)
  2. SSH Server Supports Weak Key Exchange Algorithms (ssh-weak-kex-algorithms)
  3. TLS/SSL Server is enabling the BEAST attack (ssl-cve-2011-3389-beast)
  4. TLS Server Supports TLS version 1.0 (tlsv1_0-enabled)

 

 

Moderate Vulnerabilities

  1. SSH CBC vulnerability (ssh-cbc-ciphers)
  2. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)
  3. TLS Server Supports TLS version 1.1 (tlsv1_1-enabled)

how can we fix this. TPAM version is 2.5.923.

Parents
  • Hi Jafar

    As with most questions around TPAM a very good place to start is the Knowledge base on the One Identity Support Site.

    While you will nit necessarily find all the answers there, you will be able to find answers to a lot of your questions.

    As an example If you use the search term "BEAST" attack then KB187751 will com up.

    https://support.oneidentity.com/tpam/kb/187751/cve-2011-3389-ssl-tls-protocol-initialization-vector-implementation-information-disclosure-vulnerability-beast

    This explains "A BEAST attack is a client-side (web browser) attack based on rendering Web pages and executing JavaScript on them. The issue should be mitigated client side by using up an up to date browser.

    The only known mitigation from the Web server side is to use RC4 or allow only TLS 1.1/1.2. Due to weaknesses in RC4, this is not a valid mitigation and RC4 ciphers are disabled from 2.5.915. 

    CVE-2013-2566 RC4 - Plaintext-Recovery Issue (135497)


    The ability to only allow TLS 1.1 & 1.2 has been added in 2.5.920 and above, more information can be found in KB 212744"

    So as you are already running 2.5.923 the TPAM side should be mitigated.

    However.

    If you are unsure about any TPAM related security issues after reviewing what is on offer in the Knowledge base I would always recommend that you raise a case with the Support team.

    The forum is a great place to tap the experince and knowledge of the TPAM user community but the support team, (Unlike the members of this forum.) are in a position to give you an official response to your questions.

    They also have access to the R+D guys and all the other One Identity professionals to be able to give you an answer.

    Best regards

    Tim

  • Thank you so much for your response. appreciated it.

Reply Children
No Data