Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JayNewman
New Contributor
New Contributor

Multiple vulnerabilites on RSA SecureID appliance

Our internal vulnerability scans are reporting the following vulnerabilities on our SecureID appliance. Please advise as to how we can remediate them.

ports 7004, 7002, 443  : SSL Certificate Signed Using Weak HashingAlgorithm

Also, HSTS setting is missing from the webserver settings.

 

 

1 Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

HSTS total explanation

Additional information to Knowledge Base, KB article

HSTS (Strict-Transport-Security) Header Explanation for RSA Authentication Manager 8.x

https://community.rsa.com/t5/securid-knowledge-base/hsts-strict-transport-security-header-explanation-for-rsa/ta-p/655789

 

When a vulnerability scanner reports a finding of No HSTS, no HTTP Strict Transport Headers, it is important to note the details, because there could be three/four separate reasons for this finding based on the URL reported.

 

  1. Valid Authentication Manager console URLs, e.g. https://<AM_server_FQDN>:7004/console-ims & https://<AM_server_FQDN>:7072/operations-console
  2. Valid RSA Authentication Manager internal ports that do not support HTTP, e.g. https://<AM_server_FQDN>:7002 which is used for replication
  3. Invalid Authentication Manager URL with no page associated and which returns an Error such as HTTP 404, e.g. https://<AM_server_FQDN>:7004/
  4. An Authentication Manager pop-up Help page, e.g. https://am83p.vcloud.local:7004/console-infocenter/en_US/?lang=en_US

 

One example of checking for HSTS yourself.

AM server Security Console https://am83p.vcloud.local:7004/console-ims

redirects to

https://am83p.vcloud.local:7004/console-ims/Index.jsp

 

In Chrome, you can verify Strict-transport-security is set by Pressing.

[F12] to open browser developer tools

[F5] to refresh your page

Go to the Network tab.

Click on the your website entry at the top, Index.jsp.

Go to the Headers tab.

Scroll down to Response Headers section.

Here you will see the strict-transport-security setting.

 

Security Console index.jspSecurity Console index.jsp

<screen shot>

 

If your scan finds HSTS missing, copy and paste the URL from the Scan finding into your browser, to see if it is valid. Internal ports for services such as Replication do not have web pages associated, therefore cannot be exploited by HTTP attacks. These pages will show either "Invalid Request or an HTTP error such as 400 or 404.

 

HSTS_HTTP_400.png

<screen shot>

 

If your scanner finds a Help Page, with a URL that contains "/console-infocenter/" without HSTS, the Engineering response is that Help Pages are Static, cannot be changed, therefore are not vulnerable to any HTTP exploit that HSTS would protect from.

 

HSTS_console_Help_Pop-up.png

<screen shot>

 

Finally, if you Security Team refuses to accept these RSA Engineering Responses that HTTP Error pages do not need HSTS enabled, contact RSA Support and ask about the Instructions on How to Add HSTS headers to all AM service responses, even for invalid URLs which return error such as 404. This manual configuration will eventually be added to Authentication Manager patches, but no timeline has been set.

Basically you add HSTS to the *wrapper files associated to the AM services such as console, biztier and Admin services. Engineering is considering adding these in a future patch.

Regards,

0 Likes