[研究]Windows Defender Firewall 僅允許趨勢科技 Trend Micro Deep Security Server 連上本機 Deep Security Agent (DSA) 某些 port ( Windows Server 2019)
2023-07-13
相關軟體
Deep Security Agent (DSA) 、Deep Security (DS)
********************************************************************************
緣起
最近收到一份 Nessus 弱點掃描報告,其中2個弱點
弱點1
51192 - SSL Certificate Cannot Be Trusted
Synopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :
- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.
- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.
- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-themiddle
attacks against the remote host.
See Also
Solution
Purchase or generate a proper SSL certificate for this service.
Risk Factor
Medium
CVSS v3.0 Base Score
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVSS v2.0 Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
172.16.3.71 8
Plugin Information
Published: 2010/12/15, Modified: 2020/04/27
Plugin Output
tcp/4118/unknown
The following certificate was at the top of the certificate
chain sent by the remote host, but it is signed by an unknown
certificate authority :
|-Subject : CN=Deep Security Manager/DC=172.16.(遮蔽)/2.5.4.5=1614323416856
|-Issuer : CN=Deep Security Manager/DC=172.16.(遮蔽)/2.5.4.5=1614323416856
【說明】
TCP/4118/unknow,憑證不可信,Deep Security Manager 是未知憑證發行者。
********************************************************************************
弱點2
57582 - SSL Self-Signed Certificate
Synopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-themiddle
attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.
Solution
Purchase or generate a proper SSL certificate for this service.
Risk Factor
Medium
CVSS v3.0 Base Score
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVSS v2.0 Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information
Published: 2012/01/17, Modified: 2022/06/14
Plugin Output
tcp/4118/unknown
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : CN=Deep Security Manager/DC=172.16.(遮蔽)/2.5.4.5=1614323416856
【說明】
問題:TCP/4118/unknow,SSL自簽憑證,憑證發行者為Deep Security,非著名單位。
********************************************************************************
【評估】
憑證不可信、使用SSL自簽憑證、憑證發行者為Deep Security,非著名單位等問題,比較正規處理是讓憑證可信 (例如掃描工具是否可以設定信任某些根憑證),或改用商用、對外公開正式商用憑證。
但一般內部網段軟體Client 和 Server 端通訊,不會使用外部正式公開對外憑證;而且Deep Security是趨勢科技公司資安軟體,不是客戶可以隨便或輕易處理的,而且被要求處理的時間很短,簡單應急處理就是目前限制來源 IP 和目的 Port。
********************************************************************************
【處理】
因為對 Deep Security 並不熟,本篇不是唯一方法,也不保證100%正確。
********************************************************************************
2023-08-31
管 Deep Security Server 那邊反映 Deep Security Agent 軟體無法更新,做了些調整。
(完)
相關
Deep Security 連線使用的通訊埠
更新於: 21 Jun 2018
https://success.trendmicro.com/tw/solution/1060007
沒有留言:
張貼留言