Good afternoon, and sorry I haven't posted in a while. I've been staying pretty busy.
So if you have been in IT or working with servers for very long, you're probably familiar with this guy:
*The most annoying appliance ever?*
So in case you're not familiar, this little guy sits in your datacenter, scanning your network, and spits out reports about all the potential vulnerabilities it finds on all your network devices and servers. Then you get to go fix all of those potential vulnerabilities so that you can maintain PCI compliance and such. Sometimes it's as easy as applying an OS patch. Sometimes it's making an obscure configuration change to an application that is just as likely to break the application as it is to plug the vulnerability.
"SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability" was a particularly annoying one. I'm making sure to put the exact title of the vulnerability as Qualys puts it so that maybe someday it will show up in somebody's Internet search and help them. I wasn't so lucky. There really wasn't much information out there on this particular vulnerability that applied to me; or so I thought at the time. It seemed like the only information I could find on this vulnerability either pertained to Linux servers, or particularly to IIS on Windows Servers. My server was a physical HP machine running Windows Server 2008 R2 with all the HP software installed... and I wasn't the only guy on the team who was hung up on this particular vulnerability.
Qualys will tell you that this vulnerability is tied to CVE-2011-3389 and so my first instinct was to look for the Microsoft-issued security advisory. The particular Windows patch it was suggesting was already installed, and I didn't even have IIS installed on this server anyway. This led me down the path of modifying system-wide registry settings like this, to no avail. The same vulnerability kept showing up on subsequent scans.
So after taking a step back and thinking for a second, it occurred to me that Qualys was reporting this particular vulnerability on port 2381. That's the port used by the HP System Management Homepage. (A glorious piece of software... please note the sarcasm.) So maybe there's a configuration change I can make just to the SMH... and after Googling through some HP documentation I found this gem:
C:\hp\hpsmh\bin>smhconfig.exe -Z 'RC4-SHA'
That should restrict the cipher modes that the SMH is allowed to use to only RC4-SHA. (With a capital Z.) But my version of smhconfig.exe didn't implement the -Z switch, so I updated it via the Proliant Support Pack, and then was able to successfully run the command.
Problem solved. Vulnerability gone.
It was only after I went through all that, I went back to the original CVE-2011-3389 page and noticed this. :P