Our security department ran a Nessus scan on one of our NetWare 5.1
servers and found the following vulnerability.

20007 - Deprecated SSL Protocol Usage
Suggested remediation: Disable SSL 2.0 and use SSL 3.0 for TLS 1.0
instead

This server is retiring later on this year but I would like to close
this vulnerability if possible.

FYI, here are the patches installed on the NetWare 5.1 server in
question.
SP8,TCP587I,DSTSHIFT,NW51OS8A,WSOCK6M,NWLIB6J

The server is running eDir 8.7.3.

Any suggestions?


--
zelick
------------------------------------------------------------------------
zelick's Profile: http://forums.novell.com/member.php?userid=29407
View this thread: http://forums.novell.com/showthread.php?t=361718

Additional information:

We also received the following vulnerability for the 5.1 server in
question.

26928 - The remote service supports the use of weak SSL ciphers
Suggested remediation: Reconfigure the affected application if
possible

I am not sure if this vulnerability will be fixed by fixing the
previous issue.


--
zelick
------------------------------------------------------------------------
zelick's Profile: http://forums.novell.com/member.php?userid=29407
View this thread: http://forums.novell.com/showthread.php?t=361718

Zelick,
> 20007 - Deprecated SSL Protocol Usage
> Suggested remediation: Disable SSL 2.0 and use SSL 3.0 for TLS 1.0
> instead
>
Without knowledge on what port they found this vulnerability it is
impossible to say.

- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)

Discover the Novell forums at http://forums.novell.com

Novell does not monitor these forums officially.
Enhancement requests for all Novell products may be made at
http://support.novell.com/enhancement

zelick wrote:

>20007 - Deprecated SSL Protocol Usage
>Suggested remediation: Disable SSL 2.0 and use SSL 3.0 for TLS 1.0
>instead

I don't know if you realize this, but NetWare 5.1 support ceased 3 and a
half years ago. The use of the older SSL 2.0 protocol is not a security
bug in itself, but just the use of old technology that is no longer
considered secure enough. Going to SSL3 would mean a functional update. As
such, you should not expect to get such a functional update on such an old
and obsolete OS.

What you can do to improve your security is to apply the latest
cryptographic related updates which are for instance NCI 2.6.8 and the
latest NTLS version for NetWare 5.1 that was part of edir8737.exe. For
more information on those updates, see:
http://wiki.novell.com/index.php/Universal_Password#What_to_do_about_NetWare_5.1_and_6.0_servers_in_your_tree
Of course, if the SSL2 issue remains a security issue for you, the only
solution is to not load the services that you deem insecure.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8

OK, thank you for your help


--
zelick
------------------------------------------------------------------------
zelick's Profile: http://forums.novell.com/member.php?userid=29407
View this thread: http://forums.novell.com/showthread.php?t=361718