Unsolved
1 Rookie
•
62 Posts
0
599
Old SAN HQ, self signed certificate using SH1
HI
We have an SAN HQ server, but our security scans are flagging that a cert on the server is using SH1.
The cert was issued by Dell EqualLogic Self-signed, its good until 2041, but its using the old hash.
What is this cert for exactly and can it be deleted or easily replaced with a new one? I read maybe its for SupportAssist - We don't use that anymore, so could it just be deleted?
Thanks
DellEMCSupport
Moderator
Moderator
•
631 Posts
0
May 25th, 2023 08:00
Hello l4ndo,
This is the first I have heard of this. It may take me more research.
Could you let us know what tool you are using for scanning for vulnerabilities?
Can you post the details on an image or the scan results?
l4ndo
1 Rookie
1 Rookie
•
62 Posts
0
May 25th, 2023 09:00
Nessus for scanning.
SSL Certificate Signed Using Weak Hashing Algorithm
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Signature Algorithm : SHA-1 With RSA Encryption
Its probably because its an ancient server with an old SAN HQ, but I was just wondering if deleting it would be a quick fix as if its assocated with SupportAssist, then we don't care about that not working.
It's all due for decom anyway, so its no sweat if you can't find any information.
DellEMCSupport
Moderator
Moderator
•
631 Posts
0
May 25th, 2023 10:00
Hello l4ndo,
What version are you on of SAN HQ and your powerstore unit?
It looks like SSL Certificate Signed Using Weak Hashing Algorithm is fixed with firmware update.
Dell EqualLogic SAN HeadQuarters v3.5.1
https://dell.to/3qevMyY
And update your PowerStore
PS Series Firmware v10.0.3
https://dell.to/3OAs1hC
PS4100, PS4110, PS-M4110
PS4210
PS6000, PS6010, PS6100, PS6110
PS6500, PS6510
PS6210
PS6610
Or you may wait as you are decommissioning soon.
Jim SDCU
24 Posts
0
August 27th, 2023 16:26
@DellEMCSupport i also have this issue, SanHQ 3.51, HIT 5.5.0 on servers, Firmware 10.0.3 on PS4210, can't find any info on how to update that weak certificate that nessus is finding. Ideas???
dwilliam62
3 Apprentice
3 Apprentice
•
1.5K Posts
0
August 28th, 2023 17:23
Hello
I suspect you are scanning the 4210, not HIT/SANHQ?
https://i.dell.com/sites/doccontent/shared-content/data-sheets/en/Documents/ESG-TechWP-Securing-EQL-SAN.pdf
The older SSH v1 support can be disabled on the PS Series.
You can also disable the older legacy protocols as well. However, if you are using the Vmware Storage Manager (VSM) appliance disabling legacy protocols will prevent VSM from communicating with the arrays
Regards,
Don
Jim SDCU
24 Posts
0
August 29th, 2023 16:35
@dwilliam62
I'm scanning the servers w/HIT:
dwilliam62
3 Apprentice
3 Apprentice
•
1.5K Posts
0
August 31st, 2023 18:28
@Jim SDCU
Thank you for that. Do you have a test system or maybe a VM you could use to test something? Where you can take a snapshot and roll it back if it doesn't work.
I was pointed to this article
https://michaelhowardsecure.blog/2022/02/10/restricting-tls-1-2-ciphersuites-in-windows-using-powershell/
Do not try this on a production system please.
Regards,
Don
#IWorkForDell