SSL Vulnerability10 minutes to read
PAM360 scans SSL certificates in its repository and flags certificates that are prone to any vulnerability. This way, users are kept informed of certificates / server configurations that are insecure. Users can then take necessary remedial measures to replace or change the SSL certificates or server configurations. PAM360 scans your SSL environment for the following categories of vulnerability.
1. SSL Certificate Revocation StatusThis check is performed to get information about the revocation status of a selected certificate. If the certificate for any of your domains in use is revoked, you have to take steps to replace it immediately. Revocation status for a certificate is obtained using two methods. 1.1 Certificate Revocation List (CRL)i. Error:The selected certificate is revoked and can no longer be trusted. ii. What's the issue?Certificate Revocation List (CRL) is a list of SSL certificates that are revoked by the Certificate Authorities (CAs) before their expiration date. Certificates are revoked because of various reasons such as mis-issuances, private key compromise, CA compromise etc., CRLs are a kind of blacklist used by browsers to verify the validity of a certificate. Such tests are essential because, SSL certificates are the means by which browsers and users trust your identity and an invalid SSL certificate brings down their trust for your organization. PAM360 checks CRL revocation status for your certificates and flags certificates that have been revoked. 1.2 Online Certificate Service Protocol (OCSP) Revocation Statusi. Error:The selected certificate is revoked and can no longer be trusted. ii. What's the issue?Online Certificate Service Protocol (OCSP) is an internet protocol used for obtaining the revocation status of a digital certificate. Web browsers send the certificate in question to the respective Certificate Authority (CA). The CA then returns the response - 'valid', 'revoked' or 'unknown'. PAM360 checks OCSP revocation status for your certificates and flags certificates that have been revoked. Learn more about OCSP revocation iii. Workaround:If any of the above tests render positive for certificate revocation, you have to immediately replace the particular certificate. Failing to do so might cause browsers to throw security errors for your website. You can replace the revoked certificates with new certificates from trusted third parties directly from PAM360. Refer to the detailed help section to learn more about certificate request and deployment using PAM360. 2. SSL End-Server VulnerabilityEnd-server vulnerability is caused due to improper configuration of SSL protocol in your domain server. PAM360 tests your domain servers for the following end-server vulnerability. 2.1 Heartbleed Bugi. Error:The selected server is prone to Heartbleed vulnerability. ii. What's the issue?Heartbleed bug is a vulnerability in the OpenSSL, a popular open source cryptographic library that helps in the implementation of SSL and TLS protocols. This bug allows attackers to steal private keys attached to SSL certificates, usernames, passwords and other sensitive data without leaving a trace. PAM360 checks your domain servers for Heartbleed bug vulnerability and flags the affected servers. Learn more about Heartbleed bug iii. WorkaroundPatch your OpenSSL software. Replace the vulnerable versions with safe versions of the software. 2.2 POODLE SSLi. Error:The selected server is prone to POODLE attack. ii. What's the issue?The POODLE is a form of a man-in-the-middle attack that exploits the vulnerability in the CBC encryption scheme as implemented in the SSL 3.0 protocol. Though POODLE is not as serious as the Heatbleed vulnerability, best practices recommend you discover and mitigate the problem as quickly as possible. PAM360 scans your servers and flags servers that are vulnerable to POODLE attack. iii. Workaround:Disable SSL 3.0 protocol and enable TLS protocols (1.0, 1.1 and 1.2) on the client-side. It's to be noted that by default, PAM360 disables SSL 3.0 protocol on the PAM360 server. 2.3 SSL 3.0 Enabledi. ErrorThe selected server exploits the outdated SSL 3.0 protocol, which is prone to known vulnerabilities. ii. What's the issue?It has been discovered that SSL 3.0 protocol has a flaw in its design that makes it vulnerable to man-in-the-middle attacks. If you have a public facing website dealing with payments, you should immediately discover all servers that exploit SSL 3.0 and upgrade to TLS version. PAM360 scans servers in your network and flags all servers that make use of this protocol. Learn more about SSL 3.0 vulnerability iii. Workaround:Disable SSL 3.0 protocol and enable TLS protocols (1.0, 1.1 and 1.2) on the client-side. It's to be noted that by default, PAM360 disables SSL 3.0 protocol on the PAM360 server. 2.4 Weak Cipher Suitesi. Error:The selected server exploits weak SSL ciphers,which is a medium risk vulnerability. ii. What's the issue?Many organizations knowingly or unknowingly exploit weak SSL protocols and cipher suites in their domain servers which makes their website vulnerable to various MITM attacks. To play safe, they have to identify those weak ciphers, disable them and re-configure the domain servers. By default, SSL 3.0 is disabled on PAM360 server, which is a weak SSL protocol. In addition, PAM360 scans the end-point servers and flags the weak ciphers used in the TLS (1.0,1.1 and 1.2) protocol. iii. Workaround:Disable weak cipher suites and re-configure your domain server. 3. Key TakeawaysHere's a quick summary on how PAM360 scans your domain servers for vulnerability.
4. SSL Vulnerability ScanTo perform SSL vulnerability check on your domain server, follow the below steps:
To schedule automatic vulnerability scan,
Notes: | |
[Webinar] Weave privileged access security into your org-wide ITSM workflows. Register now