"SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability"

Good afternoon, and sorry I haven't posted in a while.  I've been staying pretty busy.

So if you have been in IT or working with servers for very long, you're probably familiar with this guy:

*The most annoying appliance ever?*

So in case you're not familiar, this little guy sits in your datacenter, scanning your network, and spits out reports about all the potential vulnerabilities it finds on all your network devices and servers. Then you get to go fix all of those potential vulnerabilities so that you can maintain PCI compliance and such. Sometimes it's as easy as applying an OS patch. Sometimes it's making an obscure configuration change to an application that is just as likely to break the application as it is to plug the vulnerability.

"SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability" was a particularly annoying one. I'm making sure to put the exact title of the vulnerability as Qualys puts it so that maybe someday it will show up in somebody's Internet search and help them.  I wasn't so lucky.  There really wasn't much information out there on this particular vulnerability that applied to me; or so I thought at the time.  It seemed like the only information I could find on this vulnerability either pertained to Linux servers, or particularly to IIS on Windows Servers.  My server was a physical HP machine running Windows Server 2008 R2 with all the HP software installed... and I wasn't the only guy on the team who was hung up on this particular vulnerability.

Qualys will tell you that this vulnerability is tied to CVE-2011-3389 and so my first instinct was to look for the Microsoft-issued security advisory.  The particular Windows patch it was suggesting was already installed, and I didn't even have IIS installed on this server anyway.  This led me down the path of modifying system-wide registry settings like this, to no avail.  The same vulnerability kept showing up on subsequent scans.

So after taking a step back and thinking for a second, it occurred to me that Qualys was reporting this particular vulnerability on port 2381.  That's the port used by the HP System Management Homepage.  (A glorious piece of software... please note the sarcasm.) So maybe there's a configuration change I can make just to the SMH... and after Googling through some HP documentation I found this gem:

C:\hp\hpsmh\bin>smhconfig.exe -Z 'RC4-SHA'

That should restrict the cipher modes that the SMH is allowed to use to only RC4-SHA. (With a capital Z.)  But my version of smhconfig.exe didn't implement the -Z switch, so I updated it via the Proliant Support Pack, and then was able to successfully run the command.

Problem solved. Vulnerability gone.

It was only after I went through all that, I went back to the original CVE-2011-3389 page and noticed this.  :P

Comments (5) -

This was very helpful especially when confronted with "HP Sytem Management Homepage Command Injection Vulnerability" from Qualys. After installing v7.2.1.3 and applying the fix above (C:\hp\hpsmh\bin>smhconfig.exe -Z 'RC4-SHA'), I also disabled the autologon so you have to logon to the SMH.

Glad it helped!  Thanks for stopping by and commenting!

Is there a fix available for AIX Servers?

Romail Neil 4/30/2014 11:42:37 PM

Hi -

Can someone please help me to resolve this vulnerability with other HP software as listed below?

HP EVAPA - Part of HP P6000 Command View Software Suite
HP PPM - Part of HP P6000 Command View Software Suite
HP SMI-S - Part of HP P6000 Command View Software Suite
HP System Insight Manager

I was able to resolve it on the port that was running the HP SMH process but the same vulnerability is showing on different ports used by different HP software as mentioned above.

Any help will be much appreciated.


Bernd Webster 10/12/2015 3:44:24 AM

I know this entry is from 2012, however i would like to add the comment that RC4 is no longer secure. A better solution might be to disable that as well and keep only the "secure" ciphers in place which is mentioned here for example: www.admin-enclave.com/.../...agement-homepage.html

Comments are closed