Security Vulnerabilities reported on NetWorker Ports 5432, 5671, 9000, 9001

Summary: Rapid7 scan identified security vulnerabilities on various ports of NetWorker.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Vulnerabilities are reported on ports 5671, 9000, 9001.

Port 5671
TLS/SSL server using commonly used Prime Numbers

TLS Server Supports TLS version 1.1
X.509 Certificate Subject CN Does Not Match the Entity Name.
Untrusted TLS/SSL server X.509 certificate
Invalid TLS/SSL certificate


Port 9000
X.509 Certificate Subject CN Does Not Match the Entity Name.
Untrusted TLS/SSL server X.509 certificate
TLS/SSL Server Is Using Commonly Used Prime Numbers.
HTTP OPTIONS Method Enabled
TLS/SSL Server Supports The Use of Static Key Ciphers.


Port 9001
X.509 Certificate Subject CN Does Not Match the Entity Name.
Untrusted TLS/SSL server X.509 certificate
TLS/SSL Server Does Not Support Any Strong Cipher Algorithms.
TLS/SSL Server Supports The Use of Static Key Ciphers.

Cause

Vulnerability reported by a security scanner.

Resolution

Port 5432

* X.509 Certificate Subject CN Does Not Match the Entity Name.
* Untrusted TLS/SSL server X.509 certificate
* Self-signed TLS/SSL certificate

Solution:

1. Go to C:\Program Files\EMC NetWorker\Management\nmcdb\pgdata\ (Windows);  /nsr/nmc/nmcdb/pgdata/ (Linux)
2. Rename server.crt and server.key.
3. Copy the CA-signed server and private key as "server.crt" and "server.key" respectively to the same folder.
NOTE: On Linux systems, ensure that the files are owned by nsrnmc: nsrnmc and have 600 permissions. 
chown nsrnmc:nsrnmc /nsr/nmc/nmcdb/pgdata/server.crt
chown nsrnmc:nsrnmc /nsr/nmc/nmcdb/pgdata/server.key

chmod 600 /nsr/nmc/nmcdb/pgdata/server.crt
chmod 600 /nsr/nmc/nmcdb/pgdata/server.key
4. Verify that the path and name are consistent in postgresql.conf. 
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
5. Restart gst services:

Linux:  
systemctl restart gst
Windows: 
net stop gstd
net start gstd

 

Port 5671

* TLS/SSL server using commonly used Prime Numbers

Solution:
1. Generate DH parameters using openssl. Update the rabbitmq.config with the DH file.

Linux: /opt/nsr/rabbitmq-server-3.11.16/etc/rabbitmq/rabbitmq.config 
openssl dhparam -out /opt/nsr/rabbitmq-server-3.11.16/etc/dhparam.pem 2048

Windows: C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.7.16\etc\rabbitmq.config. 
openssl.exe dhparam -out "C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.8.3\etc\dhparam.pem" 2048
The 2048 refers to the size of the prime in bits.

2. Configure rabbitmq.config to ensure the file by adding the configuration item:
Linux:  
{dhfile, "/opt/nsr/rabbitmq-server-3.11.16/etc/rabbitmq/dhparam.pem"},
Windows: 
{dhfile, "C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.8.3\etc\dhparam.pem"},
within the ssl_options right after the "keyfile" line.

Example:
Look for "ssl_options" and add the dhfile settings, as shown below: 
     {ssl_options, [{cacertfile,        "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-3.8.3\\etc\\cacert.pem"}, 
                  {certfile,            "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-3.8.3\\etc\\cert.pem"}, 
                  {keyfile,             "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-3.8.3\\etc\\key.pem"}, 
                  {dhfile,                 "C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-3.8.3\etc\dhparam.pem"},
                  {verify,               verify_none}, 
* TLS Server Supports TLS version 1.1
 
Solution:
TLS version 1.1 can be deleted from the rabbitmq.config. Look for the line below: 
% disable TLS 1.0, remove tlsv1.1 if it is not needed 
                  {versions,   ['tlsv1.2', 'tlsv1.1']}, 
                  
* X.509 Certificate Subject CN Does Not Match the Entity Name.
* Untrusted TLS/SSL server X.509 certificate
* Invalid TLS/SSL certificate

Solution:
 
1. Go to C:\Program Files\EMC NetWorker\nsr\rabbitmq-server-<some number>\etc (Windows). On Linux, the path is /opt/nsr/rabbitmq-server-<n.nn.nn>/etc/rabbitmq
2. Rename the existing .pem certificates.
3. Copy the CA-signed certificates using the same name as the original.

Where:
cacert.pem = is the CA certificate bundle.
cert.pem = is the public/server certificate.
key.pem = is the private key.

4. Verify that the path and names are correctly reflected in rabbitmq.config.
    
     Windows:
  
{ssl_options, [{cacertfile,           "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-<some numbers>\\etc\\cacert.pem"}, 
                  {certfile,             "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-<some numbers>\\etc\\cert.pem"}, 
                  {keyfile,              "C:\\Program Files\\EMC NetWorker\\nsr\\rabbitmq-server-<some numbers>\\etc\\key.pem"}, 

   
    Linux:

{ssl_options, [{cacertfile, "/etc/rabbitmq/cacert.pem"},
                    {certfile, "/etc/rabbitmq/cert.pem"},
                    {keyfile, "/etc/rabbitmq/key.pem"},
 

5. Start the NetWorker and GST service.


Port 9000

* X.509 Certificate Subject CN Does Not Match the Entity Name.
* Untrusted TLS/SSL server X.509 certificate

Solution:

1) Rename "server.crt" and "server.key." On Windows, the files are in C:\Program Files\EMC NetWorker\Management\GST\apache\conf. On Linux, the files are located in /opt/lgtonmc/apache/conf.

2) Copy the CA-signed server certificate and private key in the same folder. Rename the CA-signed server certificate to "server.crt" and the server key to "server.key."

3) Confirm that the path and name are consistent in C:\Program Files\EMC NetWorker\Management\GST\apache\conf\httpd.conf and C:\Program Files\EMC NetWorker\Management\GST\apache\conf\https.conf. On Linux, httpd.conf is located under /opt/lgtonmc/apache/conf.

The lines to review are the following - 

Windows: 

SSLCertificatefile "C:\Program Files\EMC NetWorker\Management\GST\apache\conf\server.crt"
SSLCertificateKeyfile "C:\Program Files\EMC NetWorker\Management\GST\apache\conf\server.key"

 Linux:

SSLCertificatefile /opt/lgtonmc/apache/conf/server.crt
SSLCertificateKeyfile /opt/lgtonmc/apache/conf/server.key


4) On Linux, the flies' permission should be 600 and owned by nsrnmc. 

-rw------- 1 nsrnmc nsrnmc  1679 May 17 16:26 server.key
-rw------- 1 nsrnmc nsrnmc  1216 May 17 16:26 server.crt


* TLS/SSL Server Is Using Commonly Used Prime Numbers

Solution:

1) Generate DH parameters using openssl.

 Windows: 

openssl.exe dhparam -out  "C:\Program Files\EMC NetWorker\Management\GST\apache\conf\apachedhparam.pem" 2048

 Linux:

openssl dhparam -out "/opt/lgtonmc/apache/conf/apachedhparam.pem" 2048

 

2) Add "SSLOpenSSLConfCmd DHParameters <location of dhparam.pem>" in httpd.conf

Windows:

SSLOpenSSLConfCmd DHParameters "C:\Program Files\EMC NetWorker\Management\GST\apache\conf\apachedhparam.pem"

 

 Linux:

<VirtualHost *:9000>
Servername localhost:9000
...
...
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3:!TLSv1.0:!TLSv1.1:!ADH:!MEDIUM:!LOW:@STRENGTH
SSLOpenSSLConfCmd DHParameters /opt/lgtonmc/apache/conf/apachedhparam.pem

</VirtualHost>

* HTTP OPTIONS Method Enabled
This vulnerability does not apply to the NMC. mod_rewrite module is not loaded by the NMC.

* TLS/SSL Server Supports The Use of Static Key Ciphers.

Comment out the original SSLCipherSuite in httpd.conf. Replace with the one below.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!3DES:!MD5:!PSK:!RC4

 

Port 9001


*X.509 Certificate Subject CN Does Not Match the Entity Name.
*Untrusted TLS/SSL server X.509 certificate

We provide support to replace the certificate used by port 9001.

On Windows:

To generate cakey.pem from CA signed certificate:

Get the CA signed certificates in individual key files, or in a single file in PFX format.
If the CA signed certificates are in a single PFX file, extract the private key, and the CA signed certificate with OpenSSL tool.
NOTE:Windows may not have OpenSSL installed. You can install OpenSSL separately.
Extract the private key, and the CA signed certificate from the PFX file. Private key:
# openssl pkcs12 -in <file>.pfx -out server.key -nodes -nocerts

CA certificate:
# openssl pkcs12 -in <file>.pfx -out server.crt -nokeys

Verify the integrity of the server.key and server.crt. Private key:
# openssl pkey -in server.key -pubout -outform pem | sha256sum

CA certificate:
# openssl x509 -in server.crt -pubkey -noout -outform pem | sha256sum
NOTE:Ensure that the output shows the same checksum hash from the above two outputs. If the checksum hashes are same, perform the next step. If they are different, there is an issue.
Convert the private key and the CA certificate to PEM format. Private key:
# openssl rsa -in server.key -outform pem -out server.key.pem

CA certificate:
# openssl x509 -in server.crt -outform pem -out server.crt.pem

Combine the key and the certificate into cakey.pem file for NMC.

Windows (PowerShell): PS > get-content server.key.pem,server.crt.pem | out-file cakey.pem

Shut down the NMC server.
Windows: net stop gstd

Copy the cakey.pem to the NMC servers installation location:
Windows: [Install Drive]:\Program Files\EMC NetWorker\Management\GST\etc\cakey.pem

Start the NMC server.
Windows: net start gstd


On Linux: 

Get all the required certificates(root, intermediate, and server) from pem file format. For example: server.key, RootCA.crt, InterCA.crt, and server.crt.
Convert the private key and the certificates(root, intermediate, and server) to PEM format. Private key:
# openssl rsa -in server.key -outform pem -out server.key.pem

Certificates:
# openssl x509 -in server.crt -outform pem -out server.crt.pem

# openssl x509 -in RootCA.crt -outform pem -out RootCA.crt.pem

# openssl x509 -in InterCA.crt -outform pem -out InterCA.crt.pem

After the Chain is ready, concatenate all certificates in one file with command:

> cat server.key.pem RootCA.crt.pem InterCA.crt.pem server.crt.pem > cakey.pem

NOTE:Order of the certificates in concatenation is important. server.key should always be the first certificate, and server.pem should always be the last certificate in this file. Change the owner and group of file to nsrnmc.

Stop NetWorker services.

systemctl stop networker
systemctl stop gst

Move to directory /opt/lgtonmc/etc/, rename the existing cakey.pem, and copy the cakey.pem file which has your CA certificate chain.

Start the NetWorker services.

systemctl start networker
systemctl start gst

All the services should come up gracefully.



* TLS/SSL Server Does Not Support Any Strong Cipher Algorithms

Support for strong ciphers are put in place on NetWorker 19.5 and newer release. Update affected servers to NetWorker 19.5.x.

* TLS/SSL Server Supports The Use of Static Key Ciphers.

This is not addressed on the Windows platform yet. This is addressed in a bug fix.

 

Products

NetWorker
Article Properties
Article Number: 000193150
Article Type: Solution
Last Modified: 16 آذار 2026
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.