I set my Dell iDRAC's to use this cipher string, however it did not seem to resolve all the security concerns from our recent scan. Here are the items I still show as being concerns after applying the cipher code:
Vulnerability
Severity
Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater)
Thanks for your reply. My response above though was specifically related to the cipher string posted in this thread. CMBITPRO listed back January this cipher string which should generally resolve security advisories related to those ciphers, however a few of them are still flagged. Moreover, the search page you provided doesn't seem to have anything listed for the CVE number related to this (CVE-2002-20001). Also, some of the items that the Dell DRAC cards are being flagged for don't actually have CVE numbers at all such as (Cleartext Transmission of Sensitive Information via HTTP). Generally speaking though, my main concern right now is in relation to this specific post and the fact that there are still ciphers permitted that are being flagged. So is the cipher string(s) above wrong? Or are they missing information? And if so, what is the right cipher string to enter to shut of the remaining DHE ciphers?
To provide additional info, after applying the above listed cipher, the resulting scan shows the following allowed ciphers:
| TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | compressors: | NULL | cipher preference: client |_ least strength: A
So how do we format the iDRAC cipher string to remove these: | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
Thank you, This worked great for iDRAC 8's. For iDRAC 9's though I initially had some issue with getting that added to the string. iDRAC 9's actually have 7 additional ciphers that need to be filtered out, and it seems that there is a character limit in the cipher string field in the iDRAC 9's. I had to add these to the middle of the string and allowed it to cut off some of the ciphers mentioned later on. My security scan didn't flag any ciphers afterwards, but its still important to note that some ciphers will get cut off at the end. Here are the cipher strings I used:
evans77
1 Message
0
April 17th, 2019 11:00
Super Helpful. Thank you.
CMBITPRO
1 Message
0
January 14th, 2022 14:00
In case anyone else is looking to strengthen their cipher security to remedy https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
This is the custom cipher string that fixes it. Also locks down access to modern devices only
ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!aNULL:!AES128-SHA:!AES128-SHA256:AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!SEED-SHA
FSW Ant
3 Posts
0
July 26th, 2022 11:00
I set my Dell iDRAC's to use this cipher string, however it did not seem to resolve all the security concerns from our recent scan. Here are the items I still show as being concerns after applying the cipher code:
I'm guessing the Diffe Hellman ones are related to the fact that both of these are still permitted and it seems that all DHE should be disabled:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
Any recommendations on what to do to fix the rest of the vulnerability concerns?
DELL-Charles R
Moderator
•
4.7K Posts
0
July 27th, 2022 05:00
Hello FSW Ant,
Security Advisories and Notices can be searched here.
https://dell.to/3ovTWBd
Dell Vulnerability Response Policy outlined on this link.
If you identify one that is not on the list you can Report a Security Vulnerability on this page also : https://dell.to/3vgC7da
FSW Ant
3 Posts
0
July 27th, 2022 07:00
Thanks for your reply. My response above though was specifically related to the cipher string posted in this thread. CMBITPRO listed back January this cipher string which should generally resolve security advisories related to those ciphers, however a few of them are still flagged. Moreover, the search page you provided doesn't seem to have anything listed for the CVE number related to this (CVE-2002-20001). Also, some of the items that the Dell DRAC cards are being flagged for don't actually have CVE numbers at all such as (Cleartext Transmission of Sensitive Information via HTTP). Generally speaking though, my main concern right now is in relation to this specific post and the fact that there are still ciphers permitted that are being flagged. So is the cipher string(s) above wrong? Or are they missing information? And if so, what is the right cipher string to enter to shut of the remaining DHE ciphers?
To provide additional info, after applying the above listed cipher, the resulting scan shows the following allowed ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
So how do we format the iDRAC cipher string to remove these:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
Thanks
DELL-Charles R
Moderator
•
4.7K Posts
0
July 27th, 2022 11:00
Hello FSW Ant,
For the cipher string you'll need to add :!DHE-DSS-AES128-GCM-SHA256:!DHE-DSS-AES256-GCM-SHA384 to the existing custom cipher string.
FSW Ant
3 Posts
0
August 3rd, 2022 11:00
Thank you, This worked great for iDRAC 8's. For iDRAC 9's though I initially had some issue with getting that added to the string. iDRAC 9's actually have 7 additional ciphers that need to be filtered out, and it seems that there is a character limit in the cipher string field in the iDRAC 9's. I had to add these to the middle of the string and allowed it to cut off some of the ciphers mentioned later on. My security scan didn't flag any ciphers afterwards, but its still important to note that some ciphers will get cut off at the end. Here are the cipher strings I used:
iDRAC 8:
ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!aNULL:!AES128-SHA:!AES128-SHA256:AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:-DHE-RSA-AES128-GCM-SHA256:-DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!SEED-SHA
iDRAC 9:
ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!aNULL:!AES128-SHA:!AES128-SHA256:AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:-DHE-RSA-CHACA20-POLY1305-SHA256:-DHE-RSA-AES256-CCM8:-DHE-RSA-AES256-CCM:-DHE-RSA-ARIA256-GCM-SHA384:-DHE-RSA-AES128-CCM8:-DHE-RSA-AES128-CCM:-DHE-RSA-ARIA128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-SEED-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!SEED-SHA
Perhaps the iDRAC support team can request that the cipher string field is granted the ability to have more characters in it in a future update.
Thanks