Security Vulnerabilities reported on NetWorker Ports 5432, 5671, 9000, 9001

Summary: Rapid7 scan identified security vulnerabilities on various ports of NetWorker.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Vulnerabilities are reported on ports 5671, 9000, 9001.

Port 5671
TLS/SSL server using commonly used Prime Numbers

TLS Server Supports TLS version 1.1
X.509 Certificate Subject CN Does Not Match the Entity Name.
Untrusted TLS/SSL server X.509 certificate
Invalid TLS/SSL certificate


Port 9000
X.509 Certificate Subject CN Does Not Match the Entity Name.
Untrusted TLS/SSL server X.509 certificate
TLS/SSL Server Is Using Commonly Used Prime Numbers.
HTTP OPTIONS Method Enabled
TLS/SSL Server Supports The Use of Static Key Ciphers.


Port 9001
X.509 Certificate Subject CN Does Not Match the Entity Name.
Untrusted TLS/SSL server X.509 certificate
TLS/SSL Server Does Not Support Any Strong Cipher Algorithms.
TLS/SSL Server Supports The Use of Static Key Ciphers.

Cause

Vulnerability reported by a security scanner.

Resolution

 Port 5432

* X.509 Certificate Subject CN Does Not Match the Entity Name.
* Untrusted TLS/SSL server X.509 certificate
* Self-signed TLS/SSL certificate

Solution:

1. Go to C:\Program Files\EMC NetWorker\Management\nmcdb\pgdata\ (Windows);  /nsr/nmc/nmcdb/pgdata/ (Linux)
2. Rename server.crt and server.key.
3. Copy the CA-signed server and private key as "server.crt" and "server.key" respectively to the same folder.
NOTE: On Linux systems, ensure that the files are owned by nsrnmc: nsrnmc and have 600 permissions. 
chown nsrnmc:nsrnmc /nsr/nmc/nmcdb/pgdata/server.crt
chown nsrnmc:nsrnmc /nsr/nmc/nmcdb/pgdata/server.key

chmod 600 /nsr/nmc/nmcdb/pgdata/server.crt
chmod 600 /nsr/nmc/nmcdb/pgdata/server.key
4. Verify that the path and name are consistent in postgresql.conf. 
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
5. Restart gst services:

Linux:  
systemctl restart gst
Windows: 
net stop gstd
net start gstd
 

Port 5671

* TLS/SSL server using commonly used Prime Numbers

Solution:
1. Generate DH parameters using openssl. Update the rabbitmq.config with the DH file.

Linux: /opt/nsr/rabbitmq-server-3.11.16/etc/rabbitmq/rabbitmq.config 
openssl dhparam -out /opt/nsr/rabbitmq-server-3.11.16/etc/dhparam.pem 2048

Windows: C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.7.16\etc\rabbitmq.config. 
openssl.exe dhparam -out "C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.8.3\etc\dhparam.pem" 2048
The 2048 refers to the size of the prime in bits.

2. Configure rabbitmq.config to ensure the file by adding the configuration item:
Linux:  
{dhfile, "/opt/nsr/rabbitmq-server-3.11.16/etc/rabbitmq/dhparam.pem"},
Windows: 
{dhfile, "C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.8.3\etc\dhparam.pem"},
within the ssl_options right after the "keyfile" line.

Example:
Look for "ssl_options" and add the dhfile settings, as shown below: 
     {ssl_options, [{cacertfile,        "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-3.8.3\\etc\\cacert.pem"}, 
                  {certfile,            "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-3.8.3\\etc\\cert.pem"}, 
                  {keyfile,             "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-3.8.3\\etc\\key.pem"}, 
                  {dhfile,                 "C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.8.3\etc\dhparam.pem"},
                  {verify,               verify_none}, 
* TLS Server Supports TLS version 1.1
 
Solution:
TLS version 1.1 can be deleted from the rabbitmq.config. Look for the line below: 
% disable TLS 1.0, remove tlsv1.1 if it is not needed 
                  {versions,   ['tlsv1.2', 'tlsv1.1']}, 
* X.509 Certificate Subject CN Does Not Match the Entity Name.
* Untrusted TLS/SSL server X.509 certificate
* Invalid TLS/SSL certificate

Solution:
 
1. Go to C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-<some number>\etc (Windows). On Linux, the path is /opt/nsr/rabbitmq-server-<n.nn.nn>/etc/rabbitmq
2. Rename the existing .pem certificates.
3. Copy the CA-signed certificates using the same name as the original.

Where:
cacert.pem = is the CA certificate bundle.
cert.pem = is the public/server certificate.
key.pem = is the private key.

4. Verify that the path and names are correctly reflected in rabbitmq.config.
    
Windows: 
{ssl_options, [{cacertfile,           "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-<some numbers>\\etc\\cacert.pem"}, 
                  {certfile,             "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-<some numbers>\\etc\\cert.pem"}, 
                  {keyfile,              "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-<some numbers>\\etc\\key.pem"}, 

 Linux:

{ssl_options, [{cacertfile, "/etc/rabbitmq/cacert.pem"},
                    {certfile, "/etc/rabbitmq/cert.pem"},
                    {keyfile, "/etc/rabbitmq/key.pem"},

5. Start the NetWorker and GST service.


Port 9000 and 9001

See the following article regarding replacing self-signed certificates with CA-signed certificates: NetWorker: How to Import or Replace Certificate Authority Signed Certificates for NMC

* TLS/SSL Server Is Using Commonly Used Prime Numbers
 

  1. Solution: Generate DH parameters using openssl.

Windows:

openssl.exe dhparam -out  "C:\Program Files\EMC NetWorker\Management\GST\apache\conf\apachedhparam.pem" 2048

Linux:

openssl dhparam -out "/opt/lgtonmc/apache/conf/apachedhparam.pem" 2048
  1. Add "SSLOpenSSLConfCmd DHParameters <location of dhparam.pem>" in httpd.conf

    Windows:
SSLOpenSSLConfCmd DHParameters "C:\Program Files\EMC NetWorker\Management\GST\apache\conf\apachedhparam.pem"

Linux:

<VirtualHost *:9000>
Servername localhost:9000
...
...
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3:!TLSv1.0:!TLSv1.1:!ADH:!MEDIUM:!LOW:@STRENGTH
SSLOpenSSLConfCmd DHParameters /opt/lgtonmc/apache/conf/apachedhparam.pem

</VirtualHost>

* HTTP OPTIONS Method Enabled

This vulnerability does not apply to the NMC. mod_rewrite module is not loaded by the NMC.

* TLS/SSL Server Supports The Use of Static Key Ciphers.

Comment out the original SSLCipherSuite in httpd.conf. Replace with the one below.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!3DES:!MD5:!PSK:!RC4


* TLS/SSL Server Does Not Support Any Strong Cipher Algorithms

This is not expected on NetWorker releases 19.5 and later. NetWorker 19.5 is End of Support Life (EOSL).

* TLS/SSL Server Supports The Use of Static Key Ciphers.

This is not addressed on the Windows platform yet. This is addressed in a bug fix.

Additional Information

Affected Products

NetWorker

Products

NetWorker Family, NetWorker Management Console
Article Properties
Article Number: 000193150
Article Type: Solution
Last Modified: 23 أبريل 2026
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.