DX Unified Infrastructure Management

hi all,

We recently received results of a security scan showing that hub certificates are vulnerable to CVE-2004-2761 (info below).
There is info on this for other Broadcom products but not UIM/hub.
I have raised with this support but just getting "with dev" "dev to reproduce" delaying tactic updates when chasing.
Has anyone else experienced and/or resolved this ?




"An SSL certificate in the certificate chain has been signed using a
weak hash algorithm."

"The remote service uses an SSL certificate chain that has been signed
using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5,
or SHA1). These signature algorithms are known to be vulnerable to
collision attacks. An attacker can exploit this to generate another
certificate with the same digital signature, allowing an attacker to
masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with
SHA-1 that expire after January 1, 2017 as vulnerable. This is in
accordance with Google's gradual sunsetting of the SHA-1 cryptographic
hash algorithm.

Note that certificates in the chain that are contained in the Nessus
CA database (known_CA.inc) have been ignored."

Hello David,

We have upgraded the signature hash algorithm to sha384 in the secure version of the hub (hub_secure which is part of the SecureBus). We are planning to upgrade the same in the regular hub as well. i.e. When the hub is in a tunnel server mode (acting as a CA), it would create certs using hash algorithm as sha384.
What can be currently done till a new version of hub is released:
1. Third-party certificates can be used as well with the tunnels. 
2. Temporarily deploy secure_hub to the tunnel server system. Cleanup and re-create the required certificates (will be having sha384). Deploy again the regular hub.
Note: Take required backup of the configurations and certs before applying these workarounds.

Reference:

Regards

Thanks for the info.
Due to the amount of tunnel clients reporting into the hub server, it would be difficult to go to secure hub, even it only temporary.
I could use the backup/clone of the hub server and deploy secure hub, then generate the cert. I am just unsure how I would be able to port that back to the "live" hub tunnel server. I know I can copy the cert to the hub/certs location but I am unsure how to enable this in the probe.
I assume I could copy the keys from hub.cfg of the "clone" after adding new cert from <tunnels> <certs> <2> etc then add that with the vert to "live" hub.cfg

Original Message:
Sent: Jan 27, 2023 06:49 AM
From: Seshasai.Koduru
Subject: CVE-2004-2761 - hub tunnel certificate vulnerable - fix ?

Hello David,

We have upgraded the signature hash algorithm to sha384 in the secure version of the hub (hub_secure which is part of the SecureBus). We are planning to upgrade the same in the regular hub as well. i.e. When the hub is in a tunnel server mode (acting as a CA), it would create certs using hash algorithm as sha384.
What can be currently done till a new version of hub is released:
1. Third-party certificates can be used as well with the tunnels. 
2. Temporarily deploy secure_hub to the tunnel server system. Cleanup and re-create the required certificates (will be having sha384). Deploy again the regular hub.
Note: Take required backup of the configurations and certs before applying these workarounds.

Reference:

Regards