Loading...
Loading...
A security vulnerability scanner may report an "Weak/Legacy Key Exchange Groups Found" alert on PowerProtect Data Protection Series Appliances and Integrated Data Protection Appliances (IDPA) ACM on port 8543. On IDPA version 2.7.9, the scanner reports the following Transport Layer Security (TLS) ciphers in use for ACM port 8543: PORT STATE SERVICE VERSION 8543/tcp open ssl/http Apache Tomcat 9.0.106 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: client |_ least strength: A The vulnerability scanner advises removing all TLS_RSA_* cipher suites and retaining only TLS_ECDHE_RSA_* cipher suites using the secp256r1 curve.
Forward secrecy is a cryptographic property that ensures past communications remain secure even if long‑term private keys are compromised. For TLS_RSA_* cipher suites, RSA algorithm is used for key exchange. This method does not provide forward secrecy, meaning that if the server’s private RSA key is compromised, previously recorded TLS sessions can be decrypted. For TLS_ECDHE_RSA_* cipher suites, Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is used for key exchange, while RSA is used only for authentication. While RSA private‑key compromise can enable impersonation of future sessions, it does not allow retrospective decryption of recorded traffic, thereby preserving forward secrecy.
The permanent resolution is in the next IDPA software release; version 2.7.10 or later. To work around the issue on IDPA software version 2.7.9 or before: Log in to the ACM through SSH as the root user. Make a copy of the Apache Tomcat configuration file: cp -p /usr/local/dataprotection/tomcat/conf/server.xml /usr/local/dataprotection/tomcat/conf/server.xml.default Edit the Tomcat configuration file server.xml in a text editor like vi , look for the keyword sslEnabledProtocols Change the line from: clientAuth="false" sslEnabledProtocols="TLSv1.2" Server="DataDomain" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" /> To: clientAuth="false" sslEnabledProtocols="TLSv1.2" Server="DataDomain" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" /> The expected content is like the following: Then restart the ACM dataproteciton_wabapp service service dataprotection_webapp restart Verify that the IDPA ACM home page is working well Suggests rerun the port scanning again on ACM port 8543, the new ciphers in use should be limited to the following: PORT STATE SERVICE VERSION 8543/tcp open ssl/http Apache Tomcat 9.0.106 |_http-server-header: DataDomain | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | compressors: | NULL | cipher preference: client |_ least strength: A
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.