DX Unified Infrastructure Management

 View Only
  • 1.  CVE-2004-2761 - hub tunnel certificate vulnerable - fix ?

    Posted 11 days ago
    hi all,

    We recently received results of a security scan showing that hub certificates are vulnerable to CVE-2004-2761 (info below).
    There is info on this for other Broadcom products but not UIM/hub.
    I have raised with this support but just getting "with dev" "dev to reproduce" delaying tactic updates when chasing.
    Has anyone else experienced and/or resolved this ?




    "An SSL certificate in the certificate chain has been signed using a
    weak hash algorithm."

    "The remote service uses an SSL certificate chain that has been signed
    using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5,
    or SHA1). These signature algorithms are known to be vulnerable to
    collision attacks. An attacker can exploit this to generate another
    certificate with the same digital signature, allowing an attacker to
    masquerade as the affected service.

    Note that this plugin reports all SSL certificate chains signed with
    SHA-1 that expire after January 1, 2017 as vulnerable. This is in
    accordance with Google's gradual sunsetting of the SHA-1 cryptographic
    hash algorithm.

    Note that certificates in the chain that are contained in the Nessus
    CA database (known_CA.inc) have been ignored."


  • 2.  RE: CVE-2004-2761 - hub tunnel certificate vulnerable - fix ?

    Broadcom Employee
    Posted 9 days ago
    Edited by Seshasai.Koduru 9 days ago
    Hello David,

    We have upgraded the signature hash algorithm to sha384 in the secure version of the hub (hub_secure which is part of the SecureBus). We are planning to upgrade the same in the regular hub as well. i.e. When the hub is in a tunnel server mode (acting as a CA), it would create certs using hash algorithm as sha384.
    What can be currently done till a new version of hub is released:
    1. Third-party certificates can be used as well with the tunnels. 
    2. Temporarily deploy secure_hub to the tunnel server system. Cleanup and re-create the required certificates (will be having sha384). Deploy again the regular hub.
    Note: Take required backup of the configurations and certs before applying these workarounds.

    Reference:

    Regards


  • 3.  RE: CVE-2004-2761 - hub tunnel certificate vulnerable - fix ?

    Posted 4 days ago
    Thanks for the info.
    Due to the amount of tunnel clients reporting into the hub server, it would be difficult to go to secure hub, even it only temporary.
    I could use the backup/clone of the hub server and deploy secure hub, then generate the cert. I am just unsure how I would be able to port that back to the "live" hub tunnel server. I know I can copy the cert to the hub/certs location but I am unsure how to enable this in the probe.
    I assume I could copy the keys from hub.cfg of the "clone" after adding new cert from <tunnels> <certs> <2> etc then add that with the vert to "live" hub.cfg