DX Unified Infrastructure Management

  • Private Community
 View Only

 disabling udm_manager weak ciphers

Henrik Vick's profile image
Henrik Vick posted Jun 09, 2021 02:02 AM
Hello

Our vulnerability scanner has found weak ciphers in udm_manager.

I found the following solution:

https://knowledge.broadcom.com/external/article/209177/security-setting-disabling-udm_manager-w.html

I have implemented above but it does not seem to work as both the scanner and nmap still see the problem.

nmap :

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-09 07:28 W. Europe Daylight Time
Nmap scan report for xxx
Host is up (0.0010s latency).

PORT STATE SERVICE
4334/tcp open netconf-ch-ssh
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Weak certificate signature: SHA1
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

C:\Program Files (x86)\Nmap>

Has anyone got this to work ?

Regards
Henrik Vick
Nets Denmark
David Michel's profile image
David Michel posted Jun 14, 2021 01:35 PM
Went back to the original case and the client provided this: (had to add a space after each algorithm). 
David Michel's profile image
David Michel posted Jun 15, 2021 02:51 PM
Have not set this up, so don't have a copy of disable_ciphers.properties. 
Joakim E's profile image
Joakim E posted Jun 15, 2021 03:58 PM
Hi,

our vulnerability scanner caused the udm_manager to go bananas, consuming 90% cpu until I stopped it. I really feel Broadcom should look into this.

Regards
Joakim
David Michel's profile image
David Michel posted Jun 15, 2021 04:00 PM
Then you should open a support case.