Certificates-Vulnerability issues

Home Forums Server Operating Systems Windows Server 2012 / 2012 R2 Certificates-Vulnerability issues

This topic contains 0 replies, has 1 voice, and was last updated by  Jae 8 months, 1 week ago.

Viewing 1 post (of 1 total)
  • Author
    Posts

  • Jae
    Participant
    #167504

    Hi,

    I apologize if this is not the section this should be posted in.

    Trying to figure out what needs to done with the information listed below that was the result of an audit. The server is Windows 2012r2.

    I have tried to follow the info. out on the internet and obtain a certificate and also attempted to import the JJJ.wxyz.local certificate which is in the Remote Desktop Certificates into the 3rd Party and also the Trusted Root Authority. Obviously I’m not getting something right. Any thoughts on next step(s)?

    1)

    [SIZE=10px]SSL Certificate – Signature Verification Failed Vulnerability[/SIZE]

    [SIZE=10px]Description:[/SIZE]An SSL Certificate associates an entity (person, organization, host, etc.) with a Public
    Key. In an SSL connection, the client authenticates the remote server using the server’s Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority. If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication.

    [SIZE=10px][SIZE=12px]Affects: [/SIZE][/SIZE]
    [SIZE=10px]IP address:[SIZE=10px]24.178.28.28 [/SIZE][SIZE=10px](not the actual ip)[/SIZE]Port:[SIZE=10px]3389/tcp[/SIZE]Instance:[SIZE=10px] Ubuntu / Tiny Core Linux/ Linux 2.6.x [/SIZE][/SIZE]
    [SIZE=10px]Compliance: FAIL[/SIZE]
    [SIZE=10px]Evidence:[/SIZE][SIZE=10px]Certificate #0 CN=JJJ.wxyz.local unable to get local issuer certificate[/SIZE]
    [SIZE=10px]Exceptions, False Positives, or Compensating Controls Noted: [SIZE=10px]T[/SIZE][SIZE=10px]his vulnerability is not included in the NVD[/SIZE][/SIZE]

    [SIZE=12px]Solution[/SIZE]

    [SIZE=12px]Ubuntu / Tiny Core Linux / Linux 2.6.x[/SIZE]
    [SIZE=12px]Please install a server certificate signed by a trusted third-party Certificate Authority.[/SIZE]

    [SIZE=12px]2)[/SIZE]

    [SIZE=10px]Login Form Is Not Submitted Via HTTPS[/SIZE]

    [SIZE=10px][SIZE=12px]Description:[/SIZE][SIZE=12px]The login form’s default action contains a link that is not submitted via HTTPS (HTTP over SSL).[/SIZE][/SIZE]

    [SIZE=10px][SIZE=12px]Affects: [/SIZE][/SIZE]
    [SIZE=10px]IP address:[SIZE=10px]24.178.28.28[/SIZE][SIZE=10px](not the actual ip)[/SIZE]Port:[SIZE=10px]80/[/SIZE]t[SIZE=10px]cp[/SIZE]Instance:[SIZE=10px]Ubuntu / Tiny Core Linux/ [/SIZE][/SIZE]
    [SIZE=10px]Compliance: FAIL[/SIZE]
    [SIZE=10px]Evidence:[/SIZE][SIZE=10px]url: http://24.178.28.28[/SIZE]
    [SIZE=10px]Payload: N/A[/SIZE]
    [SIZE=10px][SIZE=10px]comment: Parent URL of Login Form is : http://24.178.28.28[/SIZE][/SIZE]
    [SIZE=10px][SIZE=10px]matched: Login Form Is Not Submitted Via HTTPS[/SIZE][/SIZE]

    [SIZE=10px]Exceptions, False Positives, or Compensating Controls Noted: [SIZE=10px]T[/SIZE][SIZE=10px]his vulnerability is not included in the NVD[/SIZE][/SIZE]

    [SIZE=12px]Solution[/SIZE]

    [SIZE=12px]Ubuntu / Tiny Core Linux / Linux 2.6.x[/SIZE]
    [SIZE=12px]Change the login form’s action to submit via HTTPS.[/SIZE]

    Any help appreciated.

    Regards,
    Jae

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.