Brocade Network Advisor vulnerable to SWEET32

OK, OK, don’t panic. In 99.999% of all cases you’re BNA management system is well dug deep inside the datacenter’s behind a fair few layers of firewalls, switch ACL’s and other physical or non-physical borders so bad dudes being able to exploit the vulnerability is relatively unlikely. Just in the event you still want to prevent  from even being remotely possible here is a procedure to remove the underlying issue as well as being able to remove some older, less-secure, protocols.

The first option is to upgrade to version 14.3.1 where this is fixed and the 3DES-EDE cipher is disabled. In case you don’t want to (or can) upgrade read on.

As the BNA webserver is being managed by JBOSS the configuration of security and encryption protocols is done by a java engine. Therefore the security layer of https is also managed by that.

There are a few things that can be managed here but the important part is to remove the vulnerable cipher.

In order to do that you need to open the file “<Install-dir>\jre64\lib\security\java.security” and search for the line starting with “jdk.tls.disabledAlgorithms” and add “DESede” to the list.

Save the file and restart BNA.

A way to check if the vulnerability has been resolved you can use a tool call “nmap”. (Check nmap.org) and execute the following command in a command prompt:

nmap -sS -Pn -p443 –script=ssl* <ip address of the BNA server> -d -n

The result, when still vulnerable, will look the same or similar like this:

< snip>

TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack

<snip>

When the cipher has been excluded and BNA restarted you’ll see it looks like this:

<snip>

| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
|_sslv2-drown:

<snip>

 

You can also remove one or more of the encryption algorithms if required. The SSLv3 is one example and TLSv1 is another. The same line will then look similar like this:

jdk.tls.disabledAlgorithms=SSLv3, MD5, TLSv1, DES, 3DES, DESede, RC2, DHE, DH,  ECDHE, ECDH, RC4, MD5withRSA, DH keySize < 768, \ EC keySize < 1024

After restarting BNA these protocols will not be provided again. Be aware that your browser also needs to be up-to date and be able to use one of the algorithms and ciphers that are used then.

 

Hope this helps.

Regards,

Erwin

Print Friendly, PDF & Email

About Erwin van Londen

Master Technical Analyst at Hitachi Data Systems
Brocade Technical, Config Guide, Troubleshooting , , , ,