Vulnerability testing performed on a server running the Symantec Endpoint Protection Manager (SEPM) may throw an alert for use of a weak 64-bit block cipher (3DES). To address this alert, and to mitigate against possible exploitation attacks against the weak cipher (such as SWEET32), it becomes necessary to disable the use of 3DES on the SEPM server.
3DES allows for legacy operating systems (XP and 2003) to communicate with a SEPM over TLS, however it is a vulnerable cipher and one which may need to be disabled by some organizations to comply with vulnerability scanning requirements.
To disable 3DES for client communications and SEPM Reporting functions, please make the following changes:
1.) Create backups first, then edit the
sslForClients.conf files within the following path:
5.) Reboot the SEPM server, or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
6.) Re-run any vulnerability scans as needed to confirm that vulnerabilities relating to 64-bit block cipher are now resolved. (By default tests would be run against ports 443 for secure client communications, and port 8445 for SEPM Reporting.)
Note: Disabling 3DES in sslForClients.conf will prevent Windows XP and 2003 systems from communicating, even if these clients have had TLS enabled per
TECH231025. If there are still managed XP and 2003 clients which need to maintain communication with the SEPM, it will be necessary to leave 3DES enabled in sslForClients.conf.
To disable 3DES for internal SEPM server communications and web services:
1.) Create a backup first, then edit server.xml found in the following path:
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf
2.) Search for instances of "3DES" contained within strings that begin with "SSLCipherSuite" - for example:
3.) Add a "bang" (!) just before "3DES" in any such string to disable that cipher, as demonstrated here:
4.) Restart the SEPM and SEPM Webserver services, or reboot the SEPM server.
5.) Re-run any vulnerability scans as needed to confirm that vulnerabilities relating to 64-bit block cipher are now resolved. (By default tests would be run against port 8443 for SEPM server functions, and port 8446 for SEPM web services.)
The following commands were used with Nmap to provide confirmation that the changes recommended above addressed 64-bit block cipher vulnerabilities:
nmap -p 8443,8446 --script ssl-cert,ssl-enum-ciphers <SEPM IP>
nmap -p 443,8445 --script ssl-cert,ssl-enum-ciphers <SEPM IP>
Subscribing will provide email updates when this Article is updated. Login is required.