Apr 2, 2020

TLS/SSL Server Supports The Use of Static Key Ciphers

Tags: ,

Today, I have a colleague that asks me about a vulnerability called "TLS/SSL Server Supports The Use of Static Key Ciphers " (ssl-static-key-ciphers).

This vulnerability has CVSS 2.6 (rated by Rapid7). According to Rapid7:

The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.

Here're the questions to me:

  • What kind of vulnerability is this?
  • Since this vulnerability has low (<4) CVSS rating, can we skip the remediation?
  • Why the vulnerability still exist even I have follow the PCI compliance by only allowing TLS 1.1 and TLS 1.2?

My answers:

  • To me, this is a kind of mis-configuration, rather than a (missing) patching issue.
  • To me, this is not an urgent but it is an important vulnerability. With advanced cracking using GPU, we are not sure if anyone will finally able to crack a session key and lead to full compromise of encrypted channel given some amount of time.
  • Yes, even if you have only TLS 1.2 enabled, your system may still vulnerable to static key cipher attack.Referring to the post on Static Key Cipher Vs Perfect Forward Secrecy, by disable all the weak cipher suites (SSLv2/SSLv3/TLS1.0) and only allowing recommended cipher suites (TLS1.1/TLS1.2), does not guarantee forward secrecy is always used.

Mar 22, 2020

Work From Home

Tags:

Start to WFH......

Mar 5, 2020

List Users and Roles in Kenna

Tags: , ,

Last month, I created a ruby script to list all users in Kenna. And I found that I need to list all the roles besides the user list.

Then, I notice I'm not a good ruby developer.

I just re-write a script in python to list all users (including myself) and all roles in Kenna.

kenna-users
kenna-users.py -h

Feb 29, 2020

My Notes on VMware Products

Tags:

Short/quick notes about VMware products : ESX, ESXi, vCenter, vSphere/client.

ESX/ESXi

  • Both are hypervisor that allowsus to manage VM on physcal host.
  • ESXi operates independently from general purpose OS. Thus simplifies management (Linux-based consoles), better security, and smaller footprint (32MB).
  • ESX must be installed on top a general purpose OS (Windows or Linux).
  • A virtual representation of the processing and memory resources of a physical machine runnign ESXi is kwnon as a host.
  • Two or more ESXi can be grouped into a cluster for resource pools management.

VMware vCenter Server

  • Can be installed as virtural machine on top of ESXi server.
  • Allows for centralized management of all virtual infrastructure : hosts and VMs.
  • Allows to optimize routine operations on large-scale infrastructure.
  • Running on Photon OS, Windows OS (discontinued) or Linux-based appliance.
  • Allow single sign-on, inventory (VMs, hosts, datastores, networks) search, notification, and host profile configurations.
  • Scalability: run up to 2000 hosts and 35000 VMs.
  • Enterprise features : vMotion, VMware High Availability, Vmware Update Manager, Vmware Distrubuted Resource Scheduler (DSR).
  • RBAC, performance monitoring and

 vSphere and vSphere client/HTML5

  • vSphere is a suite that contains ESX, ESXi, vCenter, vSphere client, and used as a modern software-defined data center (SDDC).
  • vSphere client/HTML5 - used to access ESXi (small env) and vCenter (large env) for management.
  • vSphere client is replaced by HTML5-based vSphere in vSphere 6.7

 Links:

  • https://www.mustbegeek.com/difference-between-vsphere-esxi-and-vcenter/
  • https://www.nakivo.com/blog/vmware-esxi-vs-vsphere-vs-vcenter-key-differences/

Feb 28, 2020

Show Kenna Connector Status

Tags: , ,

While working on Kenna data set, it is largely depends on the input from vulnerability scanning system. Sometimes, the data upload is delayed due to the Kenna connector is taking too long to upload the data.

Thus, I just created a python script that allow me to check the Kenna connector sync status.

Subscribe to: Posts (Atom)