SSL version with SD Agent
During the testing of ManageEngine ServiceDesk Plus 8.0.0 we have found a vulnerability after performing the Internal Vulnerability Scanning.
Vulnerability details are as follows:
vulnerability for port tcp /9000
This SSL service supports SSLv2 connections. SSLv2 has known
cryptographic weaknesses that can lead to the compromise of data
encrypted during the SSL session. Secure web applications should
only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996
with numerous security enhancements over SSLv2. TLSv1 was
introduced in 1999 as an enhancement to the security features of
SSLv3. All modern browsers have support for both SSLv3 and TLSv1,
and often disable support for SSLv2 in the interests of security. The
PCI ASV Operational Requirements requires that if SSLv2 is used in
the transmission of cardholder data, this must result in a failure. This
was clarified in the PCI "Assessor Update: November 2008" (see the
reference link in this finding).
Service: -
Evidence:
• Cipher: DES-CBC-MD5
• Cipher: DES-CBC3-MD5
• Cipher: EXP-RC2-CBC-MD5
• Cipher: EXP-RC4-MD5
• Cipher: RC2-CBC-MD5
• Cipher: RC4-64-MD5
• Cipher: RC4-MD5
httpd.apache.org/docs/2.2/ssl/Reference:
http://www.schneier.com/
paper-ssl.pdf
Could you please let us know if it is possible to disable SSLv2 support for the SD Agent and we can do it? If we decide to implement the system we will need agent to support ONLY SSLv3.
Thank you