Results 1 to 10 of 10

Thread: SSL Server Allows Anonymous Authenticaion Vulnerability

  1. #1
    eldon96 is offline Junior Member
    Join Date
    Dec 2009
    Posts
    7
    Rep Power
    5

    Exclamation SSL Server Allows Anonymous Authenticaion Vulnerability

    We just had an internal vulnerability scan done. The company used a Qualys appliance and the report showed three entries on my Zimbra server.

    "SSL Server Allows Anonymous Authentication Vulnerability"

    It is listing ports 25, 465, 587 as the offending services.

    I have an Ubuntu 8.04 server out-of-the-box installation running a similarly basic Zimbra installation. I know those ports are SMTP related but not sure how to resolve the errors if they can even be resolved. I don't really use the mail side of Zimbra that much. We mostly wanted the caledar feature. But on occasion I scan something with our network copier and email it to my zimbra account. So that feature is nice.

    I am by no means a Linux guru so newbie style instructions would be nice.

    Thank you for any help offered.
    Mike

  2. #2
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Please do zmcontrol -v and put the results into your profile. (User CP > Edit Profile > Zimbra/OS Version.)

    Also, if you are paying for the vulnerability scan, I would hope that the service would include some explanation or demonstration of the vulnerability.

    Via google I found this page: https://community.qualys.com/docs/DOC-1097 and I was able to "reproduce" a vulnerability. But the key text on that page seems to be
    Please note that some vendors may allow the initial SSL connection with an anonymous cipher, but disallow the connection once the underlying service is exercised.
    I'm pretty sure that what's going on is that all three ports are working as intended by allowing an SSL connection to be initiated anonymously and then doing an SMTP handshake. Port 25 shouldn't require any authentication since it's used to receive mail from foreign servers and to relay mail from trusted networks. Ports 465 and 587 are used to relay mail but only after authentication within SMTP.

  3. #3
    eldon96 is offline Junior Member
    Join Date
    Dec 2009
    Posts
    7
    Rep Power
    5

    Default

    Quote Originally Posted by ewilen View Post
    I'm pretty sure that what's going on is that all three ports are working as intended by allowing an SSL connection to be initiated anonymously and then doing an SMTP handshake.
    I agree though I was hoping to find a way to resolve the issue. Howerver, if there isn't any more specific information I guess I'll document that Qualys info you posted and report to the board that they are false positives.

    Thank you,
    Mike

  4. #4
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Again, I'm pretty sure that everything is working the way it's intended, and that this is secure. That said, gmail doesn't show the "vulnerability" on port 587 connections:

    Code:
    openssl s_client -connect smtp.gmail.com:587 -cipher aNULL -starttls smtp
    CONNECTED(00000003)
    32116:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-35/src/ssl/s23_clnt.c:596:
    But I doubt that this means anything other than that the two services use different procedures for authentication.

  5. #5
    sglewis is offline Trained Alumni
    Join Date
    Apr 2008
    Posts
    22
    Rep Power
    7

    Default

    In reference to the Qualys link:

    Please note that some vendors may allow the initial SSL connection with an anonymous cipher, but disallow the connection once the underlying service is exercised.
    Can anyone confirm this is how Zimbra's IMAP, POP, SMTP and HTTPS services operate? PCI auditors rarely accept "may allow" as an answer.

    Failing that, can it be tweaked to not support this method of connectivity?

  6. #6
    ShotgunSi is offline Starter Member
    Join Date
    Feb 2010
    Posts
    2
    Rep Power
    5

    Default

    I found a fix for this issue here: Postfix PCI Compliance in ZCS - Zimbra :: Wiki

    However I still have weak ciphers when using port 25 and TLS. I'm still trying to figure out how to fix that issue.

  7. #7
    ShotgunSi is offline Starter Member
    Join Date
    Feb 2010
    Posts
    2
    Rep Power
    5

    Default

    Quote Originally Posted by ShotgunSi View Post
    I found a fix for this issue here: Postfix PCI Compliance in ZCS - Zimbra :: Wiki

    However I still have weak ciphers when using port 25 and TLS. I'm still trying to figure out how to fix that issue.
    Edit: Fixed my issue by making a minor tweak to the suggested commands from the Zimbra Wiki article by adding DES to the following two commands:

    postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"

    zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"

  8. #8
    Join Date
    Nov 2011
    Location
    Seattle, WA
    Posts
    10
    Rep Power
    3

    Default

    That's what I thought. Trying that now, but I suspect that I am still going to receive the "Weak DH" keys under a PCI scan. Thinking that I am going to need a support ticket call...

  9. #9
    kabeer is offline Starter Member
    Join Date
    May 2013
    Posts
    1
    Rep Power
    2

    Default

    Hi,

    I am getting the same issue "SSL Server Allows Anonymous Authentication Vulnerability" while doing Qualys scan on my mail server.

    The zimbra version I am using is "Release 6.0.15_GA_2995.RHEL5_64_20111212142837 CentOS5_64 FOSS edition"


    I have executed below commands as mentioned in Postfix PCI Compliance in ZCS - Zimbra :: Wiki. But still I am seeing the same issue (Qualys ID: 38142) in Qualys scan report.

    su - zimbra
    postconf -e smtpd_tls_ciphers=high
    postconf -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
    postconf -e smtpd_tls_mandatory_ciphers=high
    postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
    zmlocalconfig -e smtpd_tls_ciphers=high
    zmlocalconfig -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
    zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
    zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
    zmmtactl restart


    Can anyone please help me in fixing this issue?

  10. #10
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    These scans are bogus. You can safely ignore them.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. SSL certificate related vulnerability
    By k_k in forum Administrators
    Replies: 3
    Last Post: 04-11-2011, 06:30 AM
  3. Replies: 1
    Last Post: 01-12-2008, 09:55 PM
  4. 5.0 Beta Test Server Install - Sanity Check
    By soxfan in forum Installation
    Replies: 3
    Last Post: 06-07-2007, 10:53 AM
  5. Sending mail from secondary server to primary
    By ryanenation in forum Administrators
    Replies: 0
    Last Post: 11-15-2006, 10:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •