Weak cipher used with SSL profiles-f5-all

Weak cipher used with SSL profiles-f5-all
0

Weak cipher used with SSL profiles-f5-all

Vendor: f5

OS: all

Description:
Certain ciphers are now considered weak. Indeni will alert if any SSL profiles are set to use them.

Remediation Steps:
User is advised to reconfigure the SSL cipher used in the affected profile.

How does this work?
This alert logs into the F5 and retrieves the cipher strings being used by the management interface and scans for weak ciphers.

Why is this important?
Weak ciphers could allow for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors. This alert verifies that the management interface does not use any weak ciphers.

Without Indeni how would you find this?
Log into the device through SSH. Enter TMSH and issue the command “cd /;list ltm profile client-ssl recursive ciphers renegotiation renegotiate-size” to retrieve a list of all SSL Client profiles and their ciphers. Then for each cipher string, issue the command "tmm --clientciphers ". Example: “tmm --clientciphers ‘!LOW:!SSLv3:!MD5:!RC4:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES’”

f5-tmsh-list-sys-httpd-ssl-ciphersuite

name: f5-tmsh-list-sys-httpd-ssl-ciphersuite
description: Find usage of weak ciphers in the management interface
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    shell: bash
comments:
    ssl-weak-cipher:
        why: |
            Weak ciphers could allow for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors. This alert verifies that the management interface does not use any weak ciphers.
        how: |
            This alert logs into the F5 and retrieves the cipher strings being used by the management interface and scans for weak ciphers.
        without-indeni: |
            Log into the device through SSH. Enter TMSH and issue the command "cd /;list ltm profile client-ssl recursive ciphers renegotiation renegotiate-size" to retrieve a list of all SSL Client profiles and their ciphers. Then for each cipher string, issue the command "tmm --clientciphers <cipher string>". Example: "tmm --clientciphers '!LOW:!SSLv3:!MD5:!RC4:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES'"
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Unknown
    ssl-weak-protocol:
        why: |
            Weak protocols could enable for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors. This alert verifies that the management interface does not use any weak protocols.
        how: |
            This alert logs into the F5 and retrieves the cipher strings being used by the management interface and scans for weak ciphers.
        without-indeni: |
            Log into the device through SSH. Enter TMSH and issue the command "cd /;list ltm profile client-ssl recursive ciphers renegotiation renegotiate-size" to retrieve a list of all SSL Client profiles and their ciphers. Then for each cipher string, issue the command "tmm --clientciphers <cipher string>". Example: "tmm --clientciphers '!LOW:!SSLv3:!MD5:!RC4:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES'"
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Unknown
steps:
-   run:
        type: SSH
        file: tmsh-list-sys-httpd-ssl-ciphersuite.remote.1.bash
    parse:
        type: AWK
        file: tmsh-list-sys-httpd-ssl-ciphersuite.parser.1.awk

CrossVendorSslWeakCipherRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package templatebased.crossvendor

import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class CrossVendorSslWeakCipherRule() extends StateDownTemplateRule(
  ruleName = "CrossVendorSslWeakCipherRule",
  ruleFriendlyName = "All Devices: Weak cipher used with SSL profiles",
  ruleDescription = "Certain ciphers are now considered weak. Indeni will alert if any SSL profiles are set to use them.",
  metricName = "ssl-weak-cipher",
  applicableMetricTag = "name",
  descriptionMetricTag = "cipher",
  alertIfDown = false,
  alertItemsHeader = "Affected Profiles",
  alertDescription = "Certain SSL profiles have a weak cipher and are potentially opening traffic to known vulnerabilities.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "User is advised to reconfigure the SSL cipher used in the affected profile.",
  itemSpecificDescription = Seq(
    ".*DES-CBC3.*".r -> "vulnerability SWEET32",
    ".*RC4.*".r -> "vulnerability Bar Mitzvah",
    ".*".r -> "")
)(RemediationStepCondition.VENDOR_F5 ->
  """
    |1. Follow the knowledge articles listed below for the weak cipher used. Since F5 devices present the attributes in alphabetical order (to the other side), be careful when adding a property.
    |2. DES-CBC3 cipher is considered weak (vulnerability SWEET32). See https://support.f5.com/csp/#/article/K13167034
    |3. RC4 cipher is considered weak. See https://support.f5.com/csp/#/article/K16864""".stripMargin,
  RemediationStepCondition.VENDOR_BLUECOAT ->
  """
    |1. Login via SSH to the Bluecoat ProxySG and enter privileged mode.
    |2. Run the following commands: config t -> ssl -> edit ssl-client default -> view
    |3. Command output will display a list of ciphers that are currently acceptable.
    |4. Remove any ciphers which are considered weak.""".stripMargin
)