Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Need help on closure of SSL related vulnerability

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-12-2010, 02:59 AM
Elite Member
  
Posts: 440
Default Need help on closure of SSL related vulnerability
Hi Guys,

I upgraded my zimbra setup from zcs 5.0.13 to zcs 6.0.6.1 successfully and its working fine from last two week.
When we ran penetration test we found some vluernability related to SSL...please have a look on this details :


################################################## ##

SSL / TLS Renegotiation Handshakes MiTM plaintext data injection


Potential business imapct :
A remote attacker could exploit this vlunerability via man-in-middle techniques to inject data into the beginning of the application protocol stream to execute HHTP transcations, bypass authentication and possibly launch further attacks against the victim.

#################################################


Can anyone please help to understand this vlunerability...actually i dont understand wht it mean...it is the issue with the SSL do communication ? or is it issue with certificate itself ?

#################################################

We are using external certificate for webmail which is stored in F5- network load balancer and for outlook connection we are using self - signed zimbra certificate.


Please guide.

Thanks
Reply With Quote
  #2 (permalink)  
Old 02-20-2011, 09:18 PM
Elite Member
  
Posts: 440
Default
Hi Guys,


In every version, i am getting below vulnerabilities and really couldnt find out the way to fix it...

1. SSL Certificate Signed using Weak Hashing Algorithm

Details : The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These algorithms are known to be vulnerable to collision attacks.

2. SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Details : The remote service encrypts traffic using TLS / SSL but allows a client to renegotiate the connection after the initial handshake. An unauthenticated remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.



Can anyone please guide me to fix these SSL related vulnerabilities...


Thanks
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.