Default certificate used-f5-all

Knowledge
, , , ,
#1

Default certificate used-f5-all

Vendor: f5

OS: all

Description:
Many devices are pre-installed with a default SSL certificate. Generally, it’s good practice to replace these to ensure security when accessing these devices. indeni will alert of a default certificate it used.

Remediation Steps:
Install a non-default certificate.

How does this work?
This indeni script logs into the device through SSH and executes the command “openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout”.

Why is this important?
Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.

Without Indeni how would you find this?
An administrator can verify if the default management certificate is used by logging into the device via the web interface, clicking on “System” -> “Device Certficates”. If “Certificate subject(s)” contains “localhost” the default certificate is used. While performing this check it would also be prudent to check if the certificate used in trusted by looking at the address bar of the browser.

f5-openssl

name: f5-openssl
description: Determines if the default managment certificate is used or not
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: f5
    product: load-balancer
    shell: bash
comments:
    default-management-certificate-used:
        why: |
            Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.
        how: |
            This indeni script logs into the device through SSH and executes the command "openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout".
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout
    parse:
        type: AWK
        file: openssl.parser.1.awk

cross_vendor_default_certification

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/cross_vendor_default_certification.scala