NetWorker: How to disable port 5672 for DSA-2018-120, to avoid scan software still showing the vulnerability
Summary: Due to Clear-Text Authentication Vulnerability, port 5672 was found to be sending unencrypted credentials. As a remedy, port 5671 was introduced to make use of SSL ciphers, but still port 5672 is opened as some NetWorker functions need this port to operate; therefore some scan software may show that the vulnerability still exists on the NetWorker server. This article describes how to completely disable this port. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Before reading this article, make sure you have read and understood the following KB article 523985: DSA-2018-120: Dell EMC NetWorker Clear-Text Authentication Over Network Vulnerability
After the fix was implemented to remediate CVE-2018-11050, there are some further actions which may need to be done:
Q: Can I block port 5672 in our Firewall to avoid the security scan from reporting it?
A: No, Port 5672 must be opened from the NMC server to the NetWorker server. This is the "Messmage Queue Adapter" port.
The AMQP clients interact with the Message Bus on port 5672, and it must be open. Port 5671 must be opened for SSL.
The features that are exposed from NW server is JOB status of backups and nothing more. Hence, it is a read-only operation that any rogue component can pose as a risk.
Starting with fixed NetWorker versions specified in KB article 523985: DSA-2018-120: Dell EMC NetWorker Clear-Text Authentication Over Network Vulnerability, NW will use 5671 (SSL) for authentication and encrypt the credentials as per the ciphers mentioned. However, blocking 5672 will adversely affect kb article 503523: NetWorker 9: When a firewall is blocking port 5672, the NMC Monitoring displays Status Never Run for policies, and clicking on Workflow status pops up Message bus unable to open socket connection to host <NetWorker_server> on port 5672: request timed \BRM\DPC\FLR etc) hence:
If 5672 shows up in the scan, the only option for now is to ignore it as we are not using port 5672 anymore for sending vulnerable credentials. (credentials are now sent through port 5671) .
That being said, this article applies only if:
Steps to disable port 5672:
After the fix was implemented to remediate CVE-2018-11050, there are some further actions which may need to be done:
- The scan software continues to show the vulnerability as the non-SSL port is still open due to backward compatibility (This is NMC, Hyper-V FLR/NMM).
- NetWorker internal services (nsrd/nsrjobd) started using SSL enabled port (5761) on the fixed versions, however the port is still open and is used by NetWorker\NMM for other operations.
- This issue is fixed in those versions by not sending "User credentials unencrypted to the remote AMQP service" over non-SSL port 5672.
- If you want to use non-SSL port, you can continue to use it.
- For those who want to use the SSL-port, this fix provides the mechanism.
- If you disable port 5672, the correct operation of other NetWorker services are affected, such as Hyper-V, NMM, etc. (all app client).
Q: Can I block port 5672 in our Firewall to avoid the security scan from reporting it?
A: No, Port 5672 must be opened from the NMC server to the NetWorker server. This is the "Messmage Queue Adapter" port.
The AMQP clients interact with the Message Bus on port 5672, and it must be open. Port 5671 must be opened for SSL.
The features that are exposed from NW server is JOB status of backups and nothing more. Hence, it is a read-only operation that any rogue component can pose as a risk.
Starting with fixed NetWorker versions specified in KB article 523985: DSA-2018-120: Dell EMC NetWorker Clear-Text Authentication Over Network Vulnerability, NW will use 5671 (SSL) for authentication and encrypt the credentials as per the ciphers mentioned. However, blocking 5672 will adversely affect kb article 503523: NetWorker 9: When a firewall is blocking port 5672, the NMC Monitoring displays Status Never Run for policies, and clicking on Workflow status pops up Message bus unable to open socket connection to host <NetWorker_server> on port 5672: request timed \BRM\DPC\FLR etc) hence:
- RabbitMQ bus continues to be available over unencrypted (no TLS) amqp on port 5672
- RabbitMQ bus is now also available over encypted (TLS) amqp on port 5671
- Port 5671 must be open inbound on the NetWorker server.
- NMC Server connects to port 5671 So it needs to be outbound from NMC to Networker.
If 5672 shows up in the scan, the only option for now is to ignore it as we are not using port 5672 anymore for sending vulnerable credentials. (credentials are now sent through port 5671) .
That being said, this article applies only if:
- You are not running one of the affected NetWorker versions described in KB: article 523985: DSA-2018-120: Dell EMC NetWorker Clear-Text Authentication Over Network Vulnerability
- You do not need port 5672 as you do not need Hyper-V FLR/NMM operations to work.
Steps to disable port 5672:
- Edit/create file /nsr/rabbitmq-server-<version>/etc/rabbitmq.config
Have in place the SSL options, as this is the SSL port we use.
The lines referencing tcp_listener must be commented, except the first one below:
{tcp_listeners, []}, %%this will make {tcp_listeners, []} to not listen to any port
%% {tcp_listeners, [{"127.0.0.1", 5672},
%% {"::1", 5672}]},
%% {tcp_listeners, [{"127.0.0.1", 5672},
%% {"::1", 5672}]},
- For more security, it is recommended to have the following settings in place (check rabbitmq.config.example attached):
{honor_cipher_order, true},
{honor_ecc_order, true},
{ciphers, [
"list of ciphers"
]},
{honor_ecc_order, true},
{ciphers, [
"list of ciphers"
]},
as stated in https://www.rabbitmq.com/ssl.html:
During TLS connection negotiation, the server and the client negotiate what cipher suite is used. It is possible to force server's TLS implementation to dictate its preference (cipher suite order) to avoid malicious clients that intentionally negotiate weak cipher suites in preparation for running an attack on them. To do so, configure honor_cipher_order and honor_ecc_order to true.
- The NSR service must be disabled on the NetWorker server.
After every reboot, it is enabled by default again, so it needs to be re-disabled. This is due to bug 300070, fixed in 9.2.2 and above releases.
Steps to disable it:
nsradmin
> p type:nsr service
> update enabled: No
> p type:nsr service
> update enabled: No
Additional Information
Due to Clear-Text Authentication Vulnerability, port 5672 was found to be sending unencrypted credentials. As a remedy, port 5671 was introduced to make use of SSL ciphers, but port 5672 is still opened as some NetWorker functions need this port to operate; therefore some scan software may show that the vulnerability still exists on the NetWorker server. This article describes how to completely disable this port.
More info about rabbitmq.configuration options are available at:
More info about rabbitmq.configuration options are available at:
- https://www.rabbitmq.com/configure.html.
- https://www.rabbitmq.com/ssl.html
- https://www.rabbitmq.com/networking.html
Affected Products
NetWorkerProducts
NetWorkerArticle Properties
Article Number: 000020688
Article Type: How To
Last Modified: 16 Jun 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.