In present environment SAP has many products like SAP BOBJ and SAP Data Service and many other products like Nakisa,Security Weaver, Reverse proxy setup use Apache Tomcat web server and HTTP server for serving web applications. Hence protecting them from security hackers and security loopholes are critical to safeguard the communication channels and data.
I have covered the top 10 SSL vulnerabilities of applications that runs on Apache Tomcat, Apache HTTP web servers with Linux platform.
There are various utilities to scan and identify vulnerabilities and I have used openssl utility for the diagnosis.
Security Concepts:
SSL and TLS protocols are used to provide integrity, authenticity and privacy to other protocols such as HTTP and LDAP. They provide these services by using encryption for privacy, x509 certificates for authenticity and one-way hash functions for integrity.
To encrypt data SSL and TLS can use block ciphers, which are encryption algorithms that can encrypt only a fixed block of original data to an encrypted block of the same size. Note that these ciphers will always obtain the same resulting block for the same original block of data. To achieve difference in the output the output of encryption is XORed with yet another block of the same size referred to as initialization vectors (IV). A special mode of operation for block ciphers known as CBC (cipher block chaining) uses one IV for the initial block and the result of the previous block for each subsequent block to obtain difference in the output of block cipher encryption.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
The Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
The Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules.
Vulnerability 1- Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
With the SWEET32 vulnerability, it is now shown that an attacker can send in large volume of dummy data, and get blocks of cipher text that matches that of a customer.
It is possible because the 64-bit blocks used by 3DES-DES generates a lot of packets, which increases the probability of an encrypted packet of a customer and that of the attacker matching.
Using openssl connect to the server on respective port with limiting connection only to weak ciphers DES,3DES.
If any of these tests is successful, then the target is vulnerable to Sweet32.
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -ssl2
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -ssl3
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -tls1
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -tls1_1
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -tls1_2
To secure the confidential information from this critical SWEET32 birthday attack vulnerability, it is crucial to disable the 64-bit block weak ciphers such as DES, 3DES, etc. in the servers promptly in SSL configuration and strong ciphers such as AES should be enabled.
Disable and stop using DES and 3DES ciphers.
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!DES:!3DES
Before : On executing the command, with successful connection the output shows information of the certificate used by port.
After : On executing the command after applying the solution with successful connection the output do not show the certificate value instead handshake failure and secure renegotiation is not supported.
Vulnerability 2 - SSL Server Has SSLv3 Enabled Vulnerability
In April 2015, PCI released article announcing that NIST no longer considers Secure Socket Layers (SSL) v3.0 protocol as acceptable for protecting data and that all versions of SSL versions do not meet the PCI definition of strong cryptography.
SSL 3.0 is an obsolete and insecure protocol.Encryption in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.RC4 is known to have biases, and the block cipher in CBC mode is vulnerable to the POODLE attack.
Using openssl connect to the server on respective port with limiting connection only SSL 3.0
If tests is successful and certificate is visible, then the target is vulnerable to SSLv3
openssl s_client -connect ***.domain.com:*** -ssl3
Disable the SSL 3.0 protocol in the client and in the server.
Add an entry "-SSLv3" to SSLProtocol in httpd.conf or the SSL configuration file of the respective application listening to the vulnerable port.
Before : On executing the command , with successful connection the output shows information of the certificate used by port.
After : On executing the command after applying the solution, with successful connection the output do not show the certificate value instead handshake failure and secure renegotiation is not supported.
Vulnerability 3 - SSL/TLS use of weak RC4 cipher
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic.
Vulnerabilities in SSL RC4 Cipher Suites Supported is a Medium risk vulnerability that is one of the most frequently found on networks around the world.
If this attack is carried out and an HTTP cookie is recovered, then the attacker can then use the cookie to impersonate the user whose cookie was recovered.
Run the openssl s_client command with only the weak ciphers
openssl s_client -connect host:port -cipher EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5 -no_tls1
openssl s_client -connect host:port -cipher NULL-MD5:NULL-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-ADH-RC4-MD5:EXP-ADH-DES-CBC-SHA -no_ssl3
If the connection is success with certificate data in output, the weak ciphers are supported
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, TLSv 1.2 or later address these issues.
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.
To disable RC4, the cipher-suite syntax should contain ":!RC4:" that negates RC4 cipher and restart Apache.
Before : Using openssl connect to the server on respective port with limiting connection only to any weak ciphers. The output shows information of the certificate used by port.
After:
Vulnerability 4 - SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
SSLv3 allows exploiting of the POODLE bug. This is one more major reason to disable this.
Using openssl connect to the server on respective port with limiting connection only to SSL 3.0
openssl s_client -connect ***.domain.com:*** -ssl3
Disable SSLv3 support to avoid this vulnerability.
Add -SSLv3 to the SSLProtocol in httpd.conf or the SSL configuration file of the respective application listening to the vulnerable port and restart Apache
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
SSLHonorCipherOrder on
Before : On executing the command, with successful connection the output shows information of the certificate used by port.
After :
Vulnerability 5 - SSL/TLS Server supports TLSv1.0
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
Using openssl connect to the server on respective port with limiting connection only TLS v1.
openssl s_client -servername *****.com -connect IP:PORT -tls1
Disable TLSv1 support to avoid this vulnerability.
Add -SSLv1 to the SSLProtocol in httpd.conf or the SSL configuration file of the respective application listening to the vulnerable port and restart Apache
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
Before : On executing the command, with successful connection the output shows information of the certificate used by port.
After :
I have covered the top 10 SSL vulnerabilities of applications that runs on Apache Tomcat, Apache HTTP web servers with Linux platform.
There are various utilities to scan and identify vulnerabilities and I have used openssl utility for the diagnosis.
Security Concepts:
SSL and TLS protocols are used to provide integrity, authenticity and privacy to other protocols such as HTTP and LDAP. They provide these services by using encryption for privacy, x509 certificates for authenticity and one-way hash functions for integrity.
To encrypt data SSL and TLS can use block ciphers, which are encryption algorithms that can encrypt only a fixed block of original data to an encrypted block of the same size. Note that these ciphers will always obtain the same resulting block for the same original block of data. To achieve difference in the output the output of encryption is XORed with yet another block of the same size referred to as initialization vectors (IV). A special mode of operation for block ciphers known as CBC (cipher block chaining) uses one IV for the initial block and the result of the previous block for each subsequent block to obtain difference in the output of block cipher encryption.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
The Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
The Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules.
Vulnerability 1- Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
With the SWEET32 vulnerability, it is now shown that an attacker can send in large volume of dummy data, and get blocks of cipher text that matches that of a customer.
It is possible because the 64-bit blocks used by 3DES-DES generates a lot of packets, which increases the probability of an encrypted packet of a customer and that of the attacker matching.
- How to diagnose
Using openssl connect to the server on respective port with limiting connection only to weak ciphers DES,3DES.
If any of these tests is successful, then the target is vulnerable to Sweet32.
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -ssl2
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -ssl3
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -tls1
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -tls1_1
openssl s_client -connect ***.domain.com:*** -cipher 'DES:3DES' -tls1_2
- How to resolve
To secure the confidential information from this critical SWEET32 birthday attack vulnerability, it is crucial to disable the 64-bit block weak ciphers such as DES, 3DES, etc. in the servers promptly in SSL configuration and strong ciphers such as AES should be enabled.
Disable and stop using DES and 3DES ciphers.
- Edit the apache SSL configuration file at ‘/etc/apache2/mods-available/ssl.conf ‘ or at the respective application configuration file location
- Go to the SSL section and ensure SSLv2 and SSLv3 are already disabled.
- Go to the CIPHER text section and give the entry as:
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!DES:!3DES
- Save the setting and restart apache web server.
- How to validate
Before : On executing the command, with successful connection the output shows information of the certificate used by port.
After : On executing the command after applying the solution with successful connection the output do not show the certificate value instead handshake failure and secure renegotiation is not supported.
Vulnerability 2 - SSL Server Has SSLv3 Enabled Vulnerability
In April 2015, PCI released article announcing that NIST no longer considers Secure Socket Layers (SSL) v3.0 protocol as acceptable for protecting data and that all versions of SSL versions do not meet the PCI definition of strong cryptography.
SSL 3.0 is an obsolete and insecure protocol.Encryption in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.RC4 is known to have biases, and the block cipher in CBC mode is vulnerable to the POODLE attack.
- How to diagnose:
Using openssl connect to the server on respective port with limiting connection only SSL 3.0
If tests is successful and certificate is visible, then the target is vulnerable to SSLv3
openssl s_client -connect ***.domain.com:*** -ssl3
- How to resolve :
Disable the SSL 3.0 protocol in the client and in the server.
Add an entry "-SSLv3" to SSLProtocol in httpd.conf or the SSL configuration file of the respective application listening to the vulnerable port.
- How to validate:
Before : On executing the command , with successful connection the output shows information of the certificate used by port.
After : On executing the command after applying the solution, with successful connection the output do not show the certificate value instead handshake failure and secure renegotiation is not supported.
Vulnerability 3 - SSL/TLS use of weak RC4 cipher
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic.
Vulnerabilities in SSL RC4 Cipher Suites Supported is a Medium risk vulnerability that is one of the most frequently found on networks around the world.
If this attack is carried out and an HTTP cookie is recovered, then the attacker can then use the cookie to impersonate the user whose cookie was recovered.
- How to diagnose:
Run the openssl s_client command with only the weak ciphers
openssl s_client -connect host:port -cipher EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5 -no_tls1
openssl s_client -connect host:port -cipher NULL-MD5:NULL-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-ADH-RC4-MD5:EXP-ADH-DES-CBC-SHA -no_ssl3
If the connection is success with certificate data in output, the weak ciphers are supported
- How to resolve :
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, TLSv 1.2 or later address these issues.
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.
To disable RC4, the cipher-suite syntax should contain ":!RC4:" that negates RC4 cipher and restart Apache.
- How to validate:
Before : Using openssl connect to the server on respective port with limiting connection only to any weak ciphers. The output shows information of the certificate used by port.
After:
Vulnerability 4 - SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
SSLv3 allows exploiting of the POODLE bug. This is one more major reason to disable this.
- How to diagnose:
Using openssl connect to the server on respective port with limiting connection only to SSL 3.0
openssl s_client -connect ***.domain.com:*** -ssl3
- How to Resolve:
Disable SSLv3 support to avoid this vulnerability.
Add -SSLv3 to the SSLProtocol in httpd.conf or the SSL configuration file of the respective application listening to the vulnerable port and restart Apache
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
SSLHonorCipherOrder on
- How to validate:
Before : On executing the command, with successful connection the output shows information of the certificate used by port.
After :
Vulnerability 5 - SSL/TLS Server supports TLSv1.0
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
- How to diagnose:
Using openssl connect to the server on respective port with limiting connection only TLS v1.
openssl s_client -servername *****.com -connect IP:PORT -tls1
- How to Resolve:
Disable TLSv1 support to avoid this vulnerability.
Add -SSLv1 to the SSLProtocol in httpd.conf or the SSL configuration file of the respective application listening to the vulnerable port and restart Apache
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
- How to validate:
Before : On executing the command, with successful connection the output shows information of the certificate used by port.
After :
- SAP Managed Tags:
| User | Count |
|---|---|
| 5 | |
| 5 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 |
