SSL Server Allows Anonymous Authenticaion Vulnerability

[eldon96]

We just had an internal vulnerability scan done. The company used a Qualys appliance and the report showed three entries on my Zimbra server.

"SSL Server Allows Anonymous Authentication Vulnerability"

It is listing ports 25, 465, 587 as the offending services.

I have an Ubuntu 8.04 server out-of-the-box installation running a similarly basic Zimbra installation. I know those ports are SMTP related but not sure how to resolve the errors if they can even be resolved. I don't really use the mail side of Zimbra that much. We mostly wanted the caledar feature. But on occasion I scan something with our network copier and email it to my zimbra account. So that feature is nice.

I am by no means a Linux guru so newbie style instructions would be nice.

Thank you for any help offered.
Mike

[ewilen]

Please do zmcontrol -v and put the results into your profile. (User CP > Edit Profile > Zimbra/OS Version.)

Also, if you are paying for the vulnerability scan, I would hope that the service would include some explanation or demonstration of the vulnerability.

Via google I found this page: https://community.qualys.com/docs/DOC-1097 and I was able to "reproduce" a vulnerability. But the key text on that page seems to be

Quote:

Please note that some vendors may allow the initial SSL connection with an anonymous cipher, but disallow the connection once the underlying service is exercised.

I'm pretty sure that what's going on is that all three ports are working as intended by allowing an SSL connection to be initiated anonymously and then doing an SMTP handshake. Port 25 shouldn't require any authentication since it's used to receive mail from foreign servers and to relay mail from trusted networks. Ports 465 and 587 are used to relay mail but only after authentication within SMTP.

[eldon96]

Quote:

Originally Posted by ewilen

I'm pretty sure that what's going on is that all three ports are working as intended by allowing an SSL connection to be initiated anonymously and then doing an SMTP handshake.

I agree though I was hoping to find a way to resolve the issue. Howerver, if there isn't any more specific information I guess I'll document that Qualys info you posted and report to the board that they are false positives.

Thank you,
Mike

[ewilen]

Again, I'm pretty sure that everything is working the way it's intended, and that this is secure. That said, gmail doesn't show the "vulnerability" on port 587 connections:

Code:

openssl s_client -connect smtp.gmail.com:587 -cipher aNULL -starttls smtp
CONNECTED(00000003)
32116:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-35/src/ssl/s23_clnt.c:596:

But I doubt that this means anything other than that the two services use different procedures for authentication.

[sglewis]

In reference to the Qualys link:

Quote:

Please note that some vendors may allow the initial SSL connection with an anonymous cipher, but disallow the connection once the underlying service is exercised.

Can anyone confirm this is how Zimbra's IMAP, POP, SMTP and HTTPS services operate? PCI auditors rarely accept "may allow" as an answer.

Failing that, can it be tweaked to not support this method of connectivity?

[ShotgunSi]

I found a fix for this issue here: Postfix PCI Compliance in ZCS - Zimbra :: Wiki

However I still have weak ciphers when using port 25 and TLS. I'm still trying to figure out how to fix that issue.

[ShotgunSi]

Quote:

Originally Posted by ShotgunSi

I found a fix for this issue here: Postfix PCI Compliance in ZCS - Zimbra :: Wiki

However I still have weak ciphers when using port 25 and TLS. I'm still trying to figure out how to fix that issue.

Edit: Fixed my issue by making a minor tweak to the suggested commands from the Zimbra Wiki article by adding DES to the following two commands:

postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"

zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"