Weak security protocol used with SSL profiles-f5-all

discobot · July 25, 2019, 3:13pm

Weak security protocol used with SSL profiles-f5-all

Vendor: f5

OS: all

Description:
Certain security protocols are now considered weak. Indeni will alert if any SSL profiles are set to use them.

Remediation Steps:
User is advised to reconfigure the security protocol used in the affected profile.

|1. Follow the knowledge articles listed below for the weak cipher used.
|2. SSLv3 is considered vulnerable communication protocol. See https://support.f5.com/csp/#/article/K15702
|3. SSLv2 is considered vulnerable communication protocol. See https://support.f5.com/csp/#/article/K23196136

How does this work?
This alert logs into the F5 and retrieves the cipher strings being used by each profile and scans for weak protocols.

Why is this important?
Weak protocols could enable for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors.

Without Indeni how would you find this?
Log into the device through SSH. Enter TMSH and issue the command “cd /;list ltm profile client-ssl recursive ciphers renegotiation renegotiate-size” to retrieve a list of all SSL Client profiles and their ciphers. Then for each cipher string, issue the command "tmm --clientciphers ". Example: “tmm --clientciphers ‘!LOW:!SSLv3:!MD5:!RC4:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES’”

f5-tmsh-list-profile-client-ssl-recursive-ciphers

name: f5-tmsh-list-profile-client-ssl-recursive-ciphers
description: Find usage of weak ciphers
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    shell: bash
comments:
    ssl-weak-cipher:
        why: |
            Weak ciphers could allow for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors.
        how: |
            This alert logs into the F5 and retrieves the cipher strings being used by each profile and scans for weak ciphers.
        can-with-snmp: false
        can-with-syslog: false
    ssl-weak-protocol:
        why: |
            Weak protocols could enable for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors.
        how: |
            This alert logs into the F5 and retrieves the cipher strings being used by each profile and scans for weak protocols.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        file: tmsh-list-ltm-profile-client-ssl-recursive-ciphers.remote.1.bash
    parse:
        type: AWK
        file: tmsh-list-ltm-profile-client-ssl-recursive-ciphers.parser.1.awk

CrossVendorSslWeakProtocolRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/CrossVendorSslWeakProtocolRule.scala