Find weak ciphers (RC4-SHA and RC4-MD5) Solaris using script
APPLIES TO : Solaris 10 and 11
ISSUE : SSL/TLS use of weak RC4 cipherin port 3872
GOAL : Find and disable SSL/TLS use of weak RC4 cipher
SOLUTION : Run the attached script in the affected server, Modify the IP address to the affected servers primary IP and the port which mentioned by scan report, Here the port is 3872, The required changes has to be applied by Oracle Databse team at the 13C Cloud Server.
Port 3872 - Cloud Control Agent, Only the OMS will connect to this port.
SCRIPT : Script Download
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=192.168.1.10:3872
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
SCRIPT Output : Here the weak ciphers RC4-SHA , RC4-MD5, DES-CBC3-SHA are open to port 3872 and its vulnerable. The required changes has to be applied by Oracle Databse team at the 13C Cloud Server.
JUDI-DEV-TEST01# ./ssl_test_script.sh|grep RC4
Testing ECDHE-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing DES-CBC3-SHA...YES
JUDI-DEV-TEST01#
~Judi~
APPLIES TO : Solaris 10 and 11
ISSUE : SSL/TLS use of weak RC4 cipherin port 3872
GOAL : Find and disable SSL/TLS use of weak RC4 cipher
SOLUTION : Run the attached script in the affected server, Modify the IP address to the affected servers primary IP and the port which mentioned by scan report, Here the port is 3872, The required changes has to be applied by Oracle Databse team at the 13C Cloud Server.
Port 3872 - Cloud Control Agent, Only the OMS will connect to this port.
SCRIPT : Script Download
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=192.168.1.10:3872
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
SCRIPT Output : Here the weak ciphers RC4-SHA , RC4-MD5, DES-CBC3-SHA are open to port 3872 and its vulnerable. The required changes has to be applied by Oracle Databse team at the 13C Cloud Server.
JUDI-DEV-TEST01# ./ssl_test_script.sh|grep RC4
Testing ECDHE-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing DES-CBC3-SHA...YES
JUDI-DEV-TEST01#
~Judi~
No comments:
Post a Comment