This document describes the Sustaining Engineering Statement relative to the support of an Enterprise application. Some customers have reported warnings generated by Nessus and Qualys scans against the ePO systems in their environment. Engineering analysis of the issues has concluded that while these analysis tools accurately flag certificate parameters, the ePO implementation qualifies for exceptions noted in the warnings.
Description
Details of the scan warnings covered by this document are summarized below:
Nessus Scan |
Plug-in ID |
Synopsis |
Description |
51192 |
The SSL certificate for this service is signed using an unknown certificate authority. |
The X.509 certificate of the remote host isn't signed using a known public certificate authority. If the remote host is a public host in production, the use of SSL is nullified, as anyone can establish a man-in-the-middle attack against the remote host. |
57582 |
The SSL certificate chain for this service ends in an unrecognized self-signed certificate. |
The X.509 certificate chain for this service isn't signed using a recognized certificate authority. If the remote host is a public host in production, the use of SSL is nullified, as anyone can establish a man-in-the-middle attack against the remote host. |
45411 |
The SSL certificate for this service is for a different host. |
The 'commonName' attribute of the SSL certificate presented for this service is for a different system. |
These scan alerts are effectively identical to the following:
Qualys Scan Results |
QID |
Category |
Details |
38173 |
General remote services |
QID 38173 notes the following exception:
If the server communicates with a restricted set of clients who have the server certificate or trusted CA certificate, the server or CA certificate might not be available publicly. The scan is then unable to verify the signature. |
38170 |
General remote services |
THREAT: An SSL certificate associates an entity (such as a person, organization, or host) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's certificate and extracts the Public Key in the certificate to establish a secure connection.
A certificate whose Subject commonName or subjectAltName doesn't match the server FQDN offers only encryption without authentication. |
38169 |
General remote services |
A self-signed certificate. |
NOTE: Some scanners or penetration test reports categorize this finding as CWE-295: Improper Certificate Validation.
Research and Conclusions
The ePO engineering team has researched the findings and concluded that ePO isn't vulnerable to the reported findings.
The reason is ports 8444 and 443, and DXL port 8883 aren't meant for browsing using a browser. They're accessed from MA, Agent Handler, DXL, or other ePO internal services.
The certificate trust is built on OrionCA, which is generated per ePO installation.
Regarding all warnings, the exception noted for QID 38173 applies:
- The ePO server, DXL, and Agent Handler components communicate only with a restricted set of clients who have the trusted certificate chain. The CA certificate isn't available publicly and can't be verified remotely.
- In addition, starting with ePO 5.10, the subjectAltName value on the console ports (port 8443 and 8444) is set, as advised in QID 38170.
NOTES:
- The ePO administrator can replace the certificate on port 8443, so the change doesn't apply to a custom certificate.
- For ports 443 and 8883, QID 38170 doesn't apply. The reason is because the certificate on port 443 is used in a close system where the clients (MA) share a built-in trust relationship.
Disclaimer
Any future product release dates mentioned in this statement are intended to outline our general product direction. They can't be relied on in making a purchase decision.
The following criteria apply:
- The product release dates are for information purposes only, and might not be incorporated into any contract.
- The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality.
- The development, release, and timing of any features or functionality described for our products remain at our sole discretion. They might be changed or canceled at any time.