Results 1 to 10 of 12

Thread: Penetration testing of zimbra server

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    9
    Rep Power
    7

    Default Penetration testing of zimbra server

    Hello,

    We have recently been undergoing a pen-test due to one of the customers that we are trying to attract having unique secuirty requirements. One issue that has been highlighted is that our zimbra server support some weak cipher suites. What confuses the hell out of me is the suites that the network penetration tools detect should be excluded in the zimbra configuration.

    For example :

    zimbra@webmail:~$ zmprov gcf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

    Unfortunately even when we test the site using third party tools, openssl etc we also can see that crypto suite is still in use despite the fact that it is disabled in the configuration. We have rebooted and restarted the services with no difference in the outcome.

    Has anyone else had a similar issue, is there something I am missing in regards to SSL Cipher suites? It's had me stumped for a few days now with no success..

    The second issue is that we are reported to be vulnerable to BEAST Attacks.. Which I believe is related to the crypto ciphers we use.. I suspect these maybe related.. can someone shed any additional light on this?

    Regards,

    Jimmy Stewpot.

  2. #2
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    6

    Default

    Tried searching the forum for the same subject?
    It'll reveal threads like this one

  3. #3
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    I'm having the same issue as Jimmystewpot with ZCS 7.2 NE. Our VulnerabiltyScanner reported lots of ciphers that were vulnerable, so I excluded them with "zmprov mcf +zimbraSSLExcludeCipherSuites <CIPHER_NAME>" and did a "zmmailboxdctl restart". Now when the VulnerabilitScanner scans Zimbra again it still reports lots of ciphers that I excluded from being used.

    zmprov gacf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: EXP-RC2-CBC-MD5
    zimbraSSLExcludeCipherSuites: EXP-RC4-MD5
    zimbraSSLExcludeCipherSuites: EXP-ADH-RC4-MD5
    zimbraSSLExcludeCipherSuites: EXP-EDH-RSA-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: EXP-ADH-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: EXP-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: DES-CBC-MD5
    zimbraSSLExcludeCipherSuites: EDH-RSA-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: ADH-DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: DES-CBC-SHA
    zimbraSSLExcludeCipherSuites: ADH-DES-CBC3-SHA
    zimbraSSLExcludeCipherSuites: ADH-RC4-MD5
    zimbraSSLExcludeCipherSuites: ADH-AES256-SHA
    zimbraSSLExcludeCipherSuites: ADH-CAMELLIA128-SHA
    zimbraSSLExcludeCipherSuites: ADH-SEED-SHA
    zimbraSSLExcludeCipherSuites: ADH-AES128-SHA
    zimbraSSLExcludeCipherSuites: ADH-CAMELLIA256-SHA

    Our Vulnerability Scanner still reports the following cipher suites:

    High Strength Ciphers (= 112-bit key)
    SSLv3
    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    TLSv1
    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1
    ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1
    ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
    ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1

    I already excluded the reported ciphers from being used, but It looks as they were still in place for use. How can I get them excluded so the Vulnerablity Scanner does not report them any more?
    Last edited by boumi; 08-13-2012 at 04:56 AM.

  4. #4
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    I'd be very thankful if someone could help me with my issue that excluded cipher suites are still reported as being in use by the vulnerability scanner.

    See posting above. I've already excluded all the cipher suites that were reported first, but some of them are still reported every time the vuln scanner comes by.

    How do I exclude them so they are no more reported?

    Thanks

  5. #5
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    6

    Default

    If you are running NE can't you open a support ticket to get it resolved ?

  6. #6
    Join Date
    May 2012
    Posts
    16
    Rep Power
    3

    Default

    Thanks for the tip about the support ticket, I'll check that.

Similar Threads

  1. Replies: 2
    Last Post: 12-28-2009, 03:21 PM
  2. Testing JDK 1.6.x with Zimbra 5.0.x
    By jsabater in forum Administrators
    Replies: 6
    Last Post: 03-26-2009, 03:18 AM
  3. Replies: 2
    Last Post: 10-02-2008, 12:56 PM
  4. Replies: 1
    Last Post: 09-19-2007, 11:42 AM
  5. copy/migrate users to new server for upgrade testing
    By mrluohua in forum Administrators
    Replies: 0
    Last Post: 03-05-2007, 07:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •