vulnerability issue

[chandu]

Hi,

Last week our ISM sent me vulnerability report of zimbra server and they found below points which needs to be address..

1. "Deprecated SSL Protocol Usage - The remote service encrypts traffic using a protocol with known weaknesses"
2. Weak Supported SSL Ciphers Suites
3. Web Server Uses Plain Text Authentication Forms
4. "Remote DNS Resolver Uses Non-Random Ports - The remote name resolver (or the server it uses upstream) may be vulnerable
to DNS cache poisoning.
5. LDAP allows null bases


Please suggest.

Thanks

[uxbod]

So do you use self signed SSL certs ? Do you allow only HTTPS for web client connections ? Is LDAP available from outside the firewall ? Did the ISM test from internally or externally ?

[chandu]

hi..thanks for quick reply.

So do you use self signed SSL certs ?

--> For our other dotcom solution we are using self signed ssl sert but not for zimbra console...for zimbra only using builtin ssl.

Do you allow only HTTPS for web client connections ?


--> yes as per architecture team we have to allow only https web client connections.

Is LDAP available from outside the firewall ?

---> zimbra server is behind the firewall..ladap port is not open for external world

Did the ISM test from internally or externally ?

--> ISM test has been done internally...

[uxbod]

Built in SSL is a self signed cert .. so if you want stronger encryption purchase certs for your domains.

If you go to http://<yourzimbraserver> does it automatically redirect too https://<yourzimbraserver> ?

I would ask your ISM to test from externally aswell

[chandu]

hmmmm...ok we will purchase certificate..ya i m sorry for our dotcom solution we purchased certificate.

no..when i type http its not automatically redirect to https.


yeap..i know by standard way this testing should be done externally.


and for last 2 points they have given below solution :


4. "Remote DNS Resolver Uses Non-Random Ports - The remote name resolver (or the server it uses upstream) may be vulnerable to DNS cache poisoning. ----> Contact your DNS server vendor for a patch
5. LDAP allows null bases ----> "Disable NULL BASE queries on your LDAP server
"

how to do that ...and which dns patch they are talking about..any clue ?

thanks

[uxbod]

Have you ever ran Wiki :: zmtlsctl to switch too HTTPS only ?

Do you have DNS installed on your ZCS server ? If so do you apply BIND updates from RedHat ?

[chandu]

hi,

no i never ran zmtlsctl on production but ya on staging i did it on older version but after that i was not able to access web interface..was getting " page can not be display " but after upgrade to 5.0.13 its working ...and today night i thinking to test it on production to get https.

yes we have configure dns server on zimbra itself and right now it is using below bind packages :

[root@mail /]# rpm -qa | grep bind
bind-utils-9.3.3-10.el5
bind-chroot-9.3.3-10.el5
bind-9.3.3-10.el5
bind-libs-9.3.3-10.el5
ypbind-1.19-8.el5
[root@mail /]#

do i need to update it ??

[uxbod]

Yep, as on CentOS5 I am running

Code:

bind-utils-9.3.4-6.0.3.P1.el5_2
bind-9.3.4-6.0.3.P1.el5_2
bind-chroot-9.3.4-6.0.3.P1.el5_2
bind-libs-9.3.4-6.0.3.P1.el5_2

[chandu]

thanks ...

Ok I will discuss about ssl and bind update with PL and get it done.

And what about LDAP ?? or shall i ignore this warning as zimbra is behind the firewall. ..pls suggest..

[uxbod]

Ask IPM for a recommendation on how they would resolve it. Though as your server is behind a firewall then IMHO I have done nothing on my server. You could even setup IP tables on your ZCS server if you really wanted to and protect LDAP from internal probing aswell