DX Infrastructure Manager

 disabling udm_manager weak ciphers

posted 06-09-2021 02:02 AM
Hello

Our vulnerability scanner has found weak ciphers in udm_manager.

I found the following solution:

https://knowledge.broadcom.com/external/article/209177/security-setting-disabling-udm_manager-w.html

I have implemented above but it does not seem to work as both the scanner and nmap still see the problem.

nmap :

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-09 07:28 W. Europe Daylight Time
Nmap scan report for xxx
Host is up (0.0010s latency).

PORT STATE SERVICE
4334/tcp open netconf-ch-ssh
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Weak certificate signature: SHA1
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

C:\Program Files (x86)\Nmap>

Has anyone got this to work ?

Regards
Henrik Vick
Nets Denmark
Broadcom Employee
Went back to the original case and the client provided this: (had to add a space after each algorithm). 
Broadcom Employee
Have not set this up, so don't have a copy of disable_ciphers.properties. 
Hi,

our vulnerability scanner caused the udm_manager to go bananas, consuming 90% cpu until I stopped it. I really feel Broadcom should look into this.

Regards
Joakim
Broadcom Employee
Then you should open a support case.