Dell OpenManage Essentials

Last reply by 04-13-2022 Solved
Start a Discussion
2 Bronze
2 Bronze

TLS/SSL Server Is Using Commonly Used Prime Numbers - Dell OME Vulnerability 3.8.3 (Build 8)

We are running Dell OME Version 3.8.3 (Build and are security team has forwarded me a vulnerability from our SIEM.

 

the server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session.
 
Has anyone seen this vulnerability or know how to apply the cipher suites to mitigate this vulnerability?
 
Thanks!
Solution (1)

Accepted Solutions

Hello dlongofbb,

 

It will be fixed in version 3.9 that will come out in May.

I don't have an exact date though.

I hope that helps.


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

View solution in original post

Community Accepted Solution
Replies (4)

Hello dlongofbb,

 

I want to confirm which tool you are using. You posted in the OM Essentials section. Are you using OM Essentials or OM Enterprise?

 

Can you provide the CVE ID and the product vulnerability report?

 

Here we have our Security Advisories and Notices

https://www.dell.com/support/security/en-us

 


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

I posted incorrectly in the Essentials section, this is for the Dell OpenManage Enterprise solution.

Our siem did not provide a CVE ID - but here is some more detail;

https://www.rapid7.com/db/vulnerabilities/tls-dh-primes/

https://weakdh.org/

Thanks for responding and please move my post to the correct section.

Regards

 

Hello dlongofbb,

 

It will be fixed in version 3.9 that will come out in May.

I don't have an exact date though.

I hope that helps.


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

Community Accepted Solution

Thank you Charles - very helpful!  Will keep my eyes open for the next release.

Top Contributor
Latest Solutions