Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

TLSv1.2 weak Cipher due to Diffie-Hellman DH key size too small

Recently some customers have reported that their vulnerability scan report a problem with Weak Ciphers used in TLSv1.2 connections, specifically some of these ciphers can negotiate a Diffie-Helman, DH key size that is only 1024 bytes.

Qualys identifies this as QID 38863 - Weak SSL/TLS Key Exchange

Authentication Manager, at least since version 8.4, has Ciphers that only allow 2048 byte DH keys, including
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

So as long as these Ciphers are used there is no vulnerability. As part of RSA Engineering review and update plans, new Ciphers will be evaluated and implemented into updates, currently targeted for patch 1 on AM 8.7, which is tentatively scheduled for General Availability, GA on August 23rd, 2022.

24 Replies
VerhaegenPas
Contributor
Contributor

Any idea when this patch will be released? It's almost a month after the target date and still no release. Almost every other supplier has released patches for their products to fix this.

0 Likes
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

patch 4 for AM 8.6 is out, but p1 for AM 8.7 is scheduled for Sept. 28th.

Good to hear that. Thank you very much for the update.

0 Likes
VerhaegenPas
Contributor
Contributor

So still no update. Do you have a update for this please? Can we make the fix ourselves, as adjusting this is a fairly easy fix?

0 Likes

Patch 4 does not fix this issue. i just updated and tested and it still fails.

Id like to know when 8.7 patch is coming so it fixes the issue.

I have a PCI audit next week and this is an issue because i cant patch it

JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

AM 8.7 P1 will include an updated config.xml file, which will not include the weak ciphers due to DH key size too small, and retain the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers, and introduce new Ciphers.

With AM 8.6, including P4, you would have to edit the config.xml file and comment out or delete the weak Ciphers, leaving only the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers in /opt/rsa/am/server/config/config.xml

0 Likes

I have already updated to 8.7!
I had raised a case about this and was not told about the 8.6 patch 4 fix, so now I have to wait for patch 1.

Is there a timeline for that release?
0 Likes
VerhaegenPas
Contributor
Contributor

Can we please get an update? This patch is now pending for several months....

Our security department has advised us to move away from this product, as it takes much too long before any vulnerability is fixed. Which is pretty ironic for a product with "securID" in the name. But we still need to get this fixed.

0 Likes

First it was 23rd August, then it was the 28th September, hopefully pretty soon. It such an easy fix/implementation as well.

0 Likes