Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Penetration testing of zimbra server

  1. #1
    Jimmystewpot is offline Junior Member
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    9
    Rep Power
    7

    Default Penetration testing of zimbra server

    Hello,

    We have recently been undergoing a pen-test due to one of the customers that we are trying to attract having unique secuirty requirements. One issue that has been highlighted is that our zimbra server support some weak cipher suites. What confuses the hell out of me is the suites that the network penetration tools detect should be excluded in the zimbra configuration.

    For example :

    zimbra@webmail:~$ zmprov gcf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

    Unfortunately even when we test the site using third party tools, openssl etc we also can see that crypto suite is still in use despite the fact that it is disabled in the configuration. We have rebooted and restarted the services with no difference in the outcome.

    Has anyone else had a similar issue, is there something I am missing in regards to SSL Cipher suites? It's had me stumped for a few days now with no success..

    The second issue is that we are reported to be vulnerable to BEAST Attacks.. Which I believe is related to the crypto ciphers we use.. I suspect these maybe related.. can someone shed any additional light on this?

    Regards,

    Jimmy Stewpot.

  2. #2
    kruon is offline Loyal Member
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    6

    Default

    Tried searching the forum for the same subject?
    It'll reveal threads like this one

  3. #3
    boumi is offline Intermediate Member
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    I'm having the same issue as Jimmystewpot with ZCS 7.2 NE. Our VulnerabiltyScanner reported lots of ciphers that were vulnerable, so I excluded them with "zmprov mcf +zimbraSSLExcludeCipherSuites <CIPHER_NAME>" and did a "zmmailboxdctl restart". Now when the VulnerabilitScanner scans Zimbra again it still reports lots of ciphers that I excluded from being used.

    zmprov gacf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: EXP-RC2-CBC-MD5
    zimbraSSLExcludeCipherSuites: EXP-RC4-MD5
    zimbraSSLExcludeCipherSuites: EXP-ADH-RC4-MD5
    zimbraSSLExcludeCipherSuites: EXP-EDH-RSA-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: EXP-ADH-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: EXP-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: DES-CBC-MD5
    zimbraSSLExcludeCipherSuites: EDH-RSA-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: ADH-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: ADH-DES-CBC3-SHA
    zimbraSSLExcludeCipherSuites: ADH-RC4-MD5
    zimbraSSLExcludeCipherSuites: ADH-AES256-SHA
    zimbraSSLExcludeCipherSuites: ADH-CAMELLIA128-SHA
    zimbraSSLExcludeCipherSuites: ADH-SEED-SHA
    zimbraSSLExcludeCipherSuites: ADH-AES128-SHA
    zimbraSSLExcludeCipherSuites: ADH-CAMELLIA256-SHA

    Our Vulnerability Scanner still reports the following cipher suites:

    High Strength Ciphers (= 112-bit key)
    SSLv3
    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    TLSv1
    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1
    ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1
    ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
    ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1

    I already excluded the reported ciphers from being used, but It looks as they were still in place for use. How can I get them excluded so the Vulnerablity Scanner does not report them any more?
    Last edited by boumi; 08-13-2012 at 04:56 AM.

  4. #4
    boumi is offline Intermediate Member
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    I'd be very thankful if someone could help me with my issue that excluded cipher suites are still reported as being in use by the vulnerability scanner.

    See posting above. I've already excluded all the cipher suites that were reported first, but some of them are still reported every time the vuln scanner comes by.

    How do I exclude them so they are no more reported?

    Thanks

  5. #5
    liverpoolfcfan's Avatar
    liverpoolfcfan is online now Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    6

    Default

    If you are running NE can't you open a support ticket to get it resolved ?

  6. #6
    boumi is offline Intermediate Member
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    Thanks for the tip about the support ticket, I'll check that.

  7. #7
    Join Date
    Nov 2011
    Location
    Seattle, WA
    Posts
    10
    Rep Power
    3

    Default

    Quote Originally Posted by boumi View Post
    Thanks for the tip about the support ticket, I'll check that.
    Did you ever get a response on this? I am experiencing a similar situation and will open a ticket if necessary.

    -=CS=-

  8. #8
    boumi is offline Intermediate Member
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    I got a response, but the problem is not solved yet. I still get some ciphers reported as in use that I excluded from being used.

  9. #9
    Join Date
    Nov 2011
    Location
    Seattle, WA
    Posts
    10
    Rep Power
    3

    Default

    I have now opened a ticket and have excluded what Support suggested. No dice on a fix.

  10. #10
    lytledd is offline Elite Member
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    453
    Rep Power
    5

    Default

    Quote Originally Posted by SmithMartinChristopher View Post
    I have now opened a ticket and have excluded what Support suggested. No dice on a fix.

    Can you post what they suggested? I'll try it as well and if it doesn't work, I'll also open a ticket. Maybe if we get enough tickets on this, we'll get some movement on a fix.

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 12-28-2009, 04:21 PM
  2. Testing JDK 1.6.x with Zimbra 5.0.x
    By jsabater in forum Administrators
    Replies: 6
    Last Post: 03-26-2009, 03:18 AM
  3. Replies: 2
    Last Post: 10-02-2008, 12:56 PM
  4. Replies: 1
    Last Post: 09-19-2007, 11:42 AM
  5. copy/migrate users to new server for upgrade testing
    By mrluohua in forum Administrators
    Replies: 0
    Last Post: 03-05-2007, 08:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •