How to secure a GMS/Analyzer Web Server Service against weak ciphers and other vulnerabilities

03/26/2020 1,047 People found this article helpful 195,321 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

If your GMS/Analyzer server is publicly accessible, securing the web server service against weak ciphers and/or other vulnerabilities may be needed.
This article describes some basic steps to identify issues along with methods of mitigating such issues.

Resolution

 Step 1:

Identify if any vulnerabilities due to weak ciphers or other known vulnernabilities exist currently on your GMS/Analyzer server.
The following utility can scan your web service by providing the server URL:

https://sslanalyzer.comodoca.com/

This screen shot shows the types of vulnerabilities that may be seen:



Analysis:

Step 2:

Modify server.xml file to limit the ciphers/protocols/features that may be causing issues.

a) In Windows -  navigate to the following directory:

[installDir]:\GMSVP\Tomcat\conf\

b) Right-click the server.xml file and choose Edit.

c) Find the following connectors (two exist in Windows server.xml; Connector port may differ on your server):

<Connector port="443" address="0.0.0.0" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />

<Connector port="443" address="[::]" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />

d) Add the following values following the - secure="true" - value in the connector config:

SSLDisableCompression="true" SSLProtocol="TLSv1" SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH"

Example of change:

Description of changes:

SSLDisableCompression="true" (Disables Compression, which is vulnerable to CRIME attack)

SSLProtocol="TLSv1" (Disables SSLv3 which is vulnerable to Poodle)

SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH" (Disables weak ciphers) 

e) Save chages to the server.xml file and restart the GMS/Analyzer server

How to Test:

Re-scan using the SSL Analyzer utility you prefer and verify changes:

Additional info:

When GMS is installed on Windows, you may see a Vulnerability listed for - Secure Renegotiation  (Client-initiated).
This may not be fixed by applying changes in the article.
Tomcat does not see this issue as a specific vulnerability and no specific fix is listed.
For further info, refer to -
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat

Related Articles

• Specific syslog IDs are not seen in Analytics reports
• Upgrading to Analytics 2.5.0.4
• How to upgrade firmware for a group of firewalls in NSM

Categories

• Management and Reporting > Analyzer