Problem
Nessus 8.9 reports Backup Exec 22.1, 25.1 ciphers as deprecated
Error Message
Nessus report :
Backup Exec 22.1
SSL/TLS Deprecated Ciphers Unsupported (132675)
Descriptions
The remote host has open SSL/TLS ports which advertise deprecated cipher suites. The ciphers contained in these suites are no longer supported by most major ssl
libraries such as OpenSSL, NSS Mbed TLS, and wolfSSL and, as such, should not be used for secure communication.
Nessus 8.9 and later no longer supports these ciphers.
Backup Exec 25.1 64-bit block cipher 3DES vulnerable to SWEET32 attack
Broken cipher RC4 is deprecated by RFC 7465
Forward Secrecy not supported by any cipher
Cause
Some ciphers are left for backward compatibility.
A fix was released for Backup Exec 22.1. The ciphers reported in Backup Exec 25.1 will be fixed in the next release.
Solution
Backup Exec 22.1 :
A hotfix is now available for the Issue mentioned for Backup Exec 22.1 in the current version(s) of the product(s) mentioned. Refer to the Hotfix link under Related Articles to obtain the hotfix needed to resolve the issue. ds fds
This issue is fixed in Backup Exec 22.1 Hotfix 957650
Note: After installing the above Hotfix (957650) security scanners may continue to report the following cipher as weak.
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (prime256v1) - A
This is expected as this cipher has not been updated in hotfix to maintain backward compatibility with Backup Exec 21 MBES servers. This will be considered to be fixed in future major version release of Backup Exec.
Backup Exec 25.1 reports the following as weak ciphers. The below weak ciphers were not seen with BE 25.0 and BE 24.0. The weak ciphers reported in 25.1 will be removed in the next release which is in progress as of now.
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (prime256v1) - C
TLS_ECDH_ECDSA_WITH_RC4_128_SHA (prime256v1) - C
Note: The weak cipher cannot be exploited by a malicious client as the communication goes through client and server certificate validation before a connection is established. The port is used for Central Administration Server (CAS) and Managed Backup Exec Server (MBES) communication. If both Backup Exec (BE) servers are on latest release, the strong ciphers will be used.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.