BugZero | Dell BugID 221891 - Dell Unity: Nessus Full Safe Vulnerability Securit...

Dell - Defect ID: 221891

Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS Version 1.0 Protocol Detection (User Correctable)

Dell - Defect ID: 221891

Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS Version 1.0 Protocol Detection (User Correctable)

Last updated on 2/20/2024

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

Support Case Count: 9
Article View Count: 96
Impact Category:

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

Support Case Count: 9
Article View Count: 96
Impact Category:

Symptoms

Previously followed article 000022527 Dell Unity: How to Disable TLS 1.0 and 1.1 on Unity Array (User Correctable). However, the vulnerability scanner (Nessus) detected a TLS vulnerability on Port 5085.Detected vulnerabilities:https://www.tenable.com/plugins/nessus/104743Plugin: 104743Plugin name: TLS Version 1.0 Protocol DetectionPort: 5085Plugin Output: TLSv1 is enabled and the server supports at least one cipher.Synopsis: The remote service encrypts traffic using an older version of TLS.Solution: Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Cause

The command "uemcli -u admin -password /sys/security set -tlsMode TLSv1.2" disables only port 443.If disabling port 5085 is desired, you must use the Option "-param" in the svc_nas command.

Resolution

Disable TLS 1.0 and 1.1 (Port 5085) by using the below steps:1. Check the current settings. svc_nas ALL -param -facility ssl -info protocol -v 2. Change the value to "4" = TLSv1.2 and above". svc_nas ALL -param -facility ssl -modify protocol -value 4 3. Confirm that the current_value has been changed to "4" =TLSv1.2 and above. svc_nas ALL -param -facility ssl -info protocol -v 4. Reboot Storage Processors one at a time.UI(Unisphere):SYSTEM >>> Service >>> Service Tasks >>> (Storage Processor X) Select Reboot and click Execute. CLI: svc_shutdown --reboot [spa | spb] 5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above. Example of changing from TLSv1.0 to TLSv1.2 (Port 5085): 1. Check the current settings. XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v name = protocol facility_name = ssl default_value = 2 <<< current_value = 2 <<< configured_value = <<< param_type = global user_action = reboot SP change_effective = reboot SP range = (0,4) description = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above 2. Change the value to "4" = TLSv1.2 and above". XXXXX spa:~/user# svc_nas ALL -param -facility ssl -modify protocol -value 4 SPA : done Warning 17716815750: SPA : You must reboot the SP for protocol changes to take effect. SPB : done Warning 17716815750: SPB : You must reboot the SP for protocol changes to take effect. 3. Confirm that the configured_value has been changed to "4"=TLSv1.2 and above. XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v SPA : name = protocol facility_name = ssl default_value = 2 current_value = 2　　<<<<　current_value is changed after restart configured_value = 4　　<<<< param_type = global user_action = reboot SP change_effective = reboot SP range = (0,4) description = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above 4. Reboot Storage Processor (both SPs alternately). 5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above. XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v SPA : name = protocol facility_name = ssl default_value = 2 current_value = 4　　<<<< configured_value = 4 param_type = global user_action = reboot SP change_effective = reboot SP range = (0,4) description = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above Disable TLS 1.0 and 1.1 (port 443). Excerpt from article 000022527.●Unity OE 5.1 and later arrays on using the below command:Show the current settings with the command: uemcli -u admin -password /sys/security show Disable TLS 1.0 and 1.1 by setting -tlsMode TLSv1.2: uemcli -u admin -password /sys/security set -tlsMode TLSv1.2 Example of changing from TLSv1.0 to TLSv1.2(Port443): XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection 1: FIPS 140 mode = disabled TLS mode = TLSv1.0 and above Restricted shell mode = enabled XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security set -tlsMode TLSv1.2 Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection Please refer to the Security Configuration Guide for backward compatibility. This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect. Do you want to continue? yes / no: yes Operation completed successfully. XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection 1: FIPS 140 mode = disabled TLS mode = TLSv1.2 and above　　<<< Restricted shell mode = enabled In case the array is running OE 4.3 to 5.0, disable TLS 1.0(Port 443) by using the below command:Show the current settings with the command: uemcli -u admin -password /sys/security show -detail Disable TLS 1.0 with the command: uemcli -u admin -password /sys/security set -tls1Enabled no Enable TLS 1.2 with the command: uemcli -u admin -password /sys/security -tlsMode TLSv1.2 Example of changing from TLSv1.0 to TLSv1.2(Port 443): XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection 1: FIPS 140 mode = disabled TLS 1.0 mode = enabled TLS mode = TLSv1.0 and above Restricted shell mode = enabled XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security set -tlsMode TLSv1.2 Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection Please refer to the Security Configuration Guide for backward compatibility. This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect. Do you want to continue? yes / no: yes Operation completed successfully. XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection 1: FIPS 140 mode = disabled TLS 1.0 mode = disabled <<< TLS mode = TLSv1.2 and above　　 <<< Restricted shell mode = enabled Note:The following "Error code: 0x1000302" may appear immediately after changing the settings.If an error occurs, try executing the command again after about 5 minutes. Operation failed. Error code: 0x1000302 Remote server is not available. Please contact server support (Error Code:0x1000302)

Support Cases

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Dell - Defect ID: 221891

Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS Version 1.0 Protocol Detection (User Correctable)

Dell - Defect ID: 221891

Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS Version 1.0 Protocol Detection (User Correctable)

Last updated on 2/20/2024

Vendor details

Vendor details

Description

Symptoms

Cause

Resolution

Support Cases

Links

Top Dell defects by risk score

Ready to prevent the next vendor outage?