QualysGuard Enterprise Suite security scanner identifies Veritas Operations Manager (VOM) components
Problem
BACKGROUND
QualysGuard Enterprise Suite is a popular security scanning software in the computer industry.
ISSUE
QualysGuard Enterprise Suite identifies VOM components implying that VOM is not secure.
VOM is engineered as a secure product.
Error Message
Excerpt of QualysGuard Enterprise Suite report pertaining to VOM.
Port 5643/tcp over SSL
SSL Certificate - Self-Signed Certificate
QID: 38169
Category: General Remote services
THREAT:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed vertificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.
By exploiting this vulnerability, an attacher can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate. It willa ccept this spoofed certificate and communicate with the remote server.
IMPACT:
By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack.
SOLUTION:
Please install a server certificate signed by a trusted third-party Certificate Authority.
(Symantec note: please see the Symantec Solution regarding the certificate)
COMPLIANCE:
Not applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
Certificate #0 O=localhost, OU=NT_AUTHORITY, CN=SYSTEM is a self-signed certificate.
Cause
QualysGuard Enterprise Suite is unfamiliar with VOM design.
Solution
Please consider the following points regarding the use of the VOM product.
1) While the QualysGuard Enterprise Suite report suggests purchasing or generating a certificate:
This is not necessary and cannot be implemented in the current structure of the product. Also, see next point.
2) A 128 bit self signed certificate is used. While this certificate is not issued by a known public authority, it is generated by a Veritas product during configuration and can be trusted.
3) VOM uses secure HTTPS protocol on port 5634 to communicate between hosts in the VOM domain. Each host (Central Server and Managed Hosts) will have an xprtld process which is a lite web server that will use HTTPS protocol on this port for host to host communications.
Applies To
VOM 4.1, 5.0 and 6.0