SSL Plain Text Injection Security Audit Fix (SSL/TLS Renegotiation Handshake Issue)

Mindwatering Incorporated

Author: Tripp W Black

Created: 12/19/2012 at 11:32 AM

 

Category:
Domino Server Issues Troubleshooting
Web/HTTP

Issue:
Security audit fails for SSL audit on HTTP, SMTP, LDAP, IMAP, and POP3. The error is considered a SSL handshake plain-text injection vulnerability.
(This is different than a SSL V2 to V3 Handshake. This is the SSL Handshake itself.)

SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection Synopsis - CVE-2009-3555:
The remote service allows insecure renegotiation of TLS / SSL connections.

Impact: The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake. An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.
Data Received: SSLv3 supports insecure renegotiation.

Resolution: Contact the vendor for specific patch information.

Note: This tech document is old. SSL v3 is outmoded. Use TLS 1.2 with Domino 9.0.1 or whatever is the current Domino release. As of 2016/12, the current versions of domino ignore the Server Doc and Internet Site security ciphers section and are hard-coded. They can be adjusted with notes.ini variables though. Search this repository or the IBM site for more information.

Solution:
Both the Internet Site document(s) and the server(s) notes.ini file(s) must be updated.

1. Confirm that Internet Site document, Security tab already has the following settings:

Protocol Version: V3.0 only

SSL ciphers:
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC
Tripp DES encryption with 168-bit key and SHA-1 MAC

Enable SSL V2: <unchecked>


2. Update the notes.ini and add the following notes.ini variable:
SSL_Disable_Renegotiate=1

Note:
For the SSL ciphers, AES encryption with 128-bit key and SHA-1 MAC and 256-bit key and SHA-1 MAC also acceptable for this vulnerability. However, they are NOT acceptable for the BEAST vulnerability. So they are not included in this list.

Validation:
Good site for validating your server: https://www.ssllabs.com/ssltest/


__________________________________________


Issue:
In IBM Domino 8.5.3, the following XSP elements are vulnerable to XSS. Patch domino to 8.5.4 or Domino 9.0.1. If you are stuck on Domino 8.5.3 for some reason, you can create these rules. (Thanks to Steve W.. We were given these from someone who read these from one of his blogs.)

Solution:
For 8.5.3 and earlier Domino, create 2 Web Rules under your Internet Site document.

Web Rule:
Type of rule: HTTP response headers
Incoming URL pattern: */xsp/.ibmxspres/*
HTTP response codes: 404
Expires header: Don't add header
Custom header: Content-Type : text/plain (overwrite)

Web Rule:
Type of rule: HTTP response headers
Incoming URL pattern: */xsp/.ibmmodres/*
HTTP response codes: 404
Expires header: Don't add header
Custom header: Content-Type : text/plain (overwrite)



previous page