How to disable a weak certificate on TCP ports 5550 and 5580 (CVE-2004-2761, CVE-2005-4900)
Originally Published: 2024-09-16
Article Number
Applies To
RSA Product/Service Type: Authentication Agent 7.4.x for Windows
Issue
This legacy Windows agent used the agent auto-registration service on the Authentication Manager (TCP port 5550) to automatically create and update agent host entries for dynamic agents that used DHCP. This same agent also used TCP port 5580 to download offline authentication files. These two TCP ports, if enabled, will present an old server certificate file called server.cer, which was originally signed with MD5, and later signed with SHA1.
Vulnerability scans run against these TCP ports will find and flag these old certificates as weak. RSA's Engineering response as to why this vulnerability is not exploited is below. However, if your deployment does not need Authentication Agent 7.4.x for Windows, agent auto-registration, or offline downloads, you can disable, or not enable, these services so as to prevent these old certificates from being presented.
Tasks
- Disable the agent auto-registration service and/or agent offline authentication service in the Authentication Manager Security Console (Setup > System > Agents).
- Set the configuration value “auth_manager.agent_protocol.auto_reg_ssl_enabled” to “false.”
- Set the configuration value “auth_manager.offline_auth.disable_port_enabled" to "true."
- Restart the biztier service.
Resolution
- Login to the Security Console of the primary Authentication Manager server.
- Navigate to Setup > System > Agents.
- The agent auto-registration service should be unchecked to disable, while the offline authentication download service should be checked in order to disable it.
- Ensure that SSH access to the Authentication Manager primary is enabled. Log in to the Operations Console and go to Administration > Operating System Access. Check the option to Enable SSH and click Save.
- SSH to the Authentication Manager primary server and login with the rsaadmin user and password.
- Navigate to /opt/rsa/am/utils.
- To set the configuration value auth_manager.agent_protocol.auto_reg_ssl_enabled to false, run the command ./rsautil store -a config_all auth_manager.agent_protocol.auto_reg_ssl_enabled false
- To set the configuration value configuration value auth_manager.offline_auth.disable_port_enabled to true, run the command ./rsautil store -a config_all auth_manager.offline_auth.disable_port_enabled true
- Navigate to /opt/rsa/am/server.
- Restart the biztier service with the following command:
./rsaserv restart biztier nodep
Notes
Details on port 5580
- The information transferred on 5580 is encrypted by other means.
- SSL is not used for encryption, authentication, or integrity as there is another level of encryption and a SKID2 challenge-response exchange handling the authentication and preventing man-in-the-middle attacks from recovering data or affecting its integrity. The security of the offline authentication data transmitted via SSL is not related to the link encryption.
Details on port 5550
- TLS/SSL is not used for confidentiality or integrity as there is no confidential data (only hostname and IP address) being sent in the message and no authentication data is transmitted over this connection.
- Man-in-the-middle attacks, if possible, would only recover data already available by other means.
- The client compares the server certificate with its local copy (binary compare, not signature validation, so the potential issues with MD5 attacks are not applicable.
This Engineering response also applies to Authentication Manager internal 'plumbing' certs; that is, ports 7002 and 7022 used for replication, web tiers and trusted realm traffic.
The Authentication Manager server can be configured so that TLSv1.2 protocol is allowed, while earlier versions of TLS and SSL are not allowed on all TCP ports. TLSv1.3 support is expected by Authentication Manager 9.
