Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84406members
353610posts

need to fix netbotz vulnerability in 570model

EcoStruxure IT forum

A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.

DCIM_Support
Picard
Picard
0 Likes
1
350

need to fix netbotz vulnerability in 570model

This question was originally posted on DCIM Support by Gnanamurthy on 2019-11-21


The below vulberabililty need to fi.

 

 

SHA-1-based Signature in TLS/SSL Server X.509 Certificate

Stop Using SHA-1

Configuration remediation steps

Stop using signature algorithms relying on SHA-1, such as "SHA1withRSA", when signing X.509 certificates. Instead, use the SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512).

TLS Server Supports TLS version 1.1

Disable insecure TLS/SSL protocol support

Configuration remediation steps

Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.

TLS/SSL Server Supports The Use of Static Key Ciphers

Disable TLS/SSL support for static key cipher suites

Configuration remediation steps

Configure the server to disable support for static key cipher suites.

For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling static key cipher suites.

The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols.

Refer to your server vendor documentation to apply the recommended cipher configuration:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Weak Cryptographic Key

Use a Stronger Key

Configuration remediation steps

If the weak key is used in an X.509 certificate (for example for an HTTPS server), generate a longer key a

(CID:152077339)

1 Reply 1
DCIM_Support
Picard
Picard
0 Likes
0
351

🔒 Closed

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.