This article pertains to security vulnerabilities that are relevant to the Redstor product suite.
- Attack against RC4 stream cipher (CVE-2013-2566)
- POODLE (CVE-2014-3566)
- Heartbleed (CVE-2014-0160)
- Logjam (CVE-2015-4000)
- General SChannel vulnerability (CVE-2015-1637)
- Block insecure renegotiations
- The DROWN attack (CVE-2016-0800)
Attack against RC4 stream cipher
The use of RC4 in TLS and SSL could allow an attacker to perform a man-in-the-middle attack and recover plaintext from encrypted sessions. Redstor recommends restricting the use of RC4 by removing it as an available cipher (as per the Microsoft Security Advisory 2868725).
Warning: If RC4 is disabled on your Storage Platform's operating system, Agent versions older than 7.14 will not be able to connect to the Storage Platform. Upgrade your Agent to a later version.
a) To secure the server where the Storage Platform is installed:
- Download and install update 2868725 relevant to your operating system (Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT) from the Microsoft Download Center.
- Alternatively, if your operating system is not displayed, e.g. Windows Server 2003, consult article 245030 for steps on how to restrict the use of the RC4 cryptographic algorithms in the Ciphers registry key under the SCHANNEL key in the Windows registry.
Note:
- Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1 are not affected because these operating systems already include the functionality to restrict the use of RC4.
- To continue using Redstor utilities like the Log Analyzer, make sure to download the latest version from the Support utilities page.
b) Alternatively, for Redstor Pro V8 (R4) and later, an easier method for disabling RC4 exists:
- In the Storage Platform installation folder, open the "SecurityUpdates" folder.
- Right-click on the "BlockRC4.reg" file and click Merge.
The necessary keys will be updated to the Windows registry to prevent RC4 from being used.
POODLE (CVE-2014-3566)
The POODLE vulnerability is a man-in-the-middle exploit that affects SSL 3.0. To secure the server where the Storage Platform is installed, Redstor recommends a workaround by disabling SSL 3.0 on Windows Server operating systems (as per the Microsoft Security Advisory 3009008):
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.
Note: If this value is present, double-click the value to edit its current value.
- In the Edit DWORD (32-bit) Value dialog box, type 0.
- Click OK. Restart the computer.
Warning:
- This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
- After applying this workaround, Agent machines that rely only on SSL 3.0 will not be able to communicate with the server.
- To continue using Redstor utilities like the Log Analyzer, make sure to download the latest version from the Support utilities page.
Heartbleed (CVE-2014-0160)
Heartbleed is a security vulnerability in certain versions of the commonly used OpenSSL security library which allows an attacker to gain access to plaintext data transmitted over an encrypted SSL tunnel.
Redstor is not affected since neither the Storage Platform nor the Agent uses this OpenSSL library for secure communications.
Logjam (CVE-2015-4000)
The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography.
We have done extensive tests and none has indicated any Logjam vulnerabilities with the default Storage Platform configuration. However, the Storage Platform uses the TLS configuration of the host operating system on which it runs, so it may still be possible that the configuration is non-standard.
To test your Storage Platform server for the Logjam vulnerability, use the online tool here. Also refer to the Microsoft IIS section on the same page on how to configure Windows correctly (the Microsoft IIS section is applicable to the host and will also affect the Storage Platform).
General SChannel vulnerability (CVE-2015-1637)
Please consult the Windows security advisory on this vulnerability. Follow the procedure as described here to update SSL cipher suites in the Group Policy Editor.
Warning: This workaround will disable the use of RC4 on your Storage Platform's operating system. Agent versions older than 7.14 will not be able to connect to the Storage Platform. Upgrade your Agent to a later version.
Block insecure renegotiation
To block insecure renegotiations:
- In the Storage Platform installation folder, open the "SecurityUpdates" folder.
- Right-click on the "BlockInsecureRenegotiation.reg" file and click Merge.
The necessary keys will be updated to the Windows registry.
The DROWN attack (CVE-2016-0800)
According to https://drownattack.com/, "DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL [...] However, due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS."
The Storage Platform does not allow SSLv2 connections and is therefore not affected by the DROWN vulnerability.
Comments
0 comments
Please sign in to leave a comment.