none
Untrusted TLS/SSL server X.509 certificate RRS feed

  • Question

  • Hello,

    On all servers just nuilt I am receiving this report from the Security team:

    Asset Names	Asset IP Address	Service Port	Vulnerability ID	Vulnerability CVE IDs	Vulnerability Age	Vulnerability Risk Score	Exploit Minimum Skill	Exploit Count	Vulnerability Severity Level	Vulnerability Title	Vulnerability Description	Asset OS Name	Vulnerability Solution	Vulnerability Proof	Vulnerability CVSS Score	Vulnerability CVSSv3 Score	Asset Owner	Custom Tag
    VSPRES01	10.12.176.158	3389	tls-untrusted-ca		8 Days	697		0	6	Untrusted TLS/SSL server X.509 certificate	The server's TLS/SSL certificate is signed by a Certification Authority (CA) that is not well-known or trusted. This could happen if: the chain/intermediate certificate is missing, expired or has been revoked; the server hostname does not match that configured in the certificate; the time/date is incorrect; or a self-signed certificate is being used. The use of a self-signed certificate is not recommended since it could indicate that a TLS/SSL man-in-the-middle attack is taking place	Microsoft Windows Server 2016 Standard Edition	"Obtain a new certificate from your CA and ensure the server configuration is correct
    
    
     Ensure the common name (CN) reflects the name of the entity presenting the certificate (e.g., the hostname). If the certificate(s) or any of the chain certificate(s) have expired or been revoked, obtain a new certificate from your Certificate Authority (CA) by following their documentation. If a self-signed certificate is being used, consider obtaining a signed certificate from a CA. 
    
     References:  Mozilla: Connection Untrusted Error (https://support.mozilla.org/en-US/kb/connection-untrusted-error-message)  SSLShopper: SSL Certificate Not Trusted Error (https://www.sslshopper.com/ssl-certificate-not-trusted-error.html)  Windows/IIS certificate chain config (https://support.microsoft.com/en-us/kb/954755)  Apache SSL config (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html)  Nginx SSL config (http://nginx.org/en/docs/http/configuring_https_servers.html)  CertificateChain.io (https://certificatechain.io/)"	TLS/SSL certificate signed by unknown, untrusted CA: CN=VSPRES01.ad -- [Path does not chain with any of the trust anchors].	5.8	0		CiscoAMP,STATS-Internal,Sophos,Windows Server
    VSPRES02	10.12.176.159	3389	tls-untrusted-ca		8 Days	697		0	6	Untrusted TLS/SSL server X.509 certificate	The server's TLS/SSL certificate is signed by a Certification Authority (CA) that is not well-known or trusted. This could happen if: the chain/intermediate certificate is missing, expired or has been revoked; the server hostname does not match that configured in the certificate; the time/date is incorrect; or a self-signed certificate is being used. The use of a self-signed certificate is not recommended since it could indicate that a TLS/SSL man-in-the-middle attack is taking place	Microsoft Windows Server 2016 Standard Edition	"Obtain a new certificate from your CA and ensure the server configuration is correct
    
    
     Ensure the common name (CN) reflects the name of the entity presenting the certificate (e.g., the hostname). If the certificate(s) or any of the chain certificate(s) have expired or been revoked, obtain a new certificate from your Certificate Authority (CA) by following their documentation. If a self-signed certificate is being used, consider obtaining a signed certificate from a CA. 
    
     References:  Mozilla: Connection Untrusted Error (https://support.mozilla.org/en-US/kb/connection-untrusted-error-message)  SSLShopper: SSL Certificate Not Trusted Error (https://www.sslshopper.com/ssl-certificate-not-trusted-error.html)  Windows/IIS certificate chain config (https://support.microsoft.com/en-us/kb/954755)  Apache SSL config (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html)  Nginx SSL config (http://nginx.org/en/docs/http/configuring_https_servers.html)  CertificateChain.io (https://certificatechain.io/)"	TLS/SSL certificate signed by unknown, untrusted CA: CN=VSPRES02.ad -- [Path does not chain with any of the trust anchors].	5.8	0		CiscoAMP,STATS-Internal,Sophos,Windows Server

    1. What is the name of the certificate I am looking for?

    2. Where is the certificate located?


    3. what is the resolution to apply on this certificate?

    Thanks,

    Dom


    Security / System Center Configuration Manager Current Branch / SQL


    • Edited by Felyjos Wednesday, September 2, 2020 4:15 AM
    Wednesday, September 2, 2020 4:05 AM

Answers

  • Hello,

    Security vulnerability scanning identifies servers hosting RDP on port 3389 are vulnerable to attack via self-signed certificates.

    Message from security ”The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.”  

    Enable server using remote desktop (RDP) for administration to use signed certificates: 

    Request New certificate

    Rt-Click Cert, Copy

    Paste it into Remote Desktop/Certificates:

    Then use the new cert Thumbprint in this powershell command.

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Paste-THUMB-print-HERE"

    Note: Update successful.

    Once Update Successful, delete the self-signed cert:

    Thanks,

    Dom


    Security / System Center Configuration Manager Current Branch / SQL

    • Marked as answer by Felyjos Sunday, September 6, 2020 12:13 AM
    Sunday, September 6, 2020 12:13 AM

All replies

  • Hi,

    1. Can be anything, probably the name of the server.

    2. in the "Remote Desktop" store, since the referenced port is 3389

    3. If you have a policy in place that your internal PKI provides RDP certs, obtain one for each server and install it for RDP (this for reference). Otherwise, advise the Sec team to live with it ;-)


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Wednesday, September 2, 2020 7:42 PM
  • Hello,

    Security vulnerability scanning identifies servers hosting RDP on port 3389 are vulnerable to attack via self-signed certificates.

    Message from security ”The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.”  

    Enable server using remote desktop (RDP) for administration to use signed certificates: 

    Request New certificate

    Rt-Click Cert, Copy

    Paste it into Remote Desktop/Certificates:

    Then use the new cert Thumbprint in this powershell command.

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Paste-THUMB-print-HERE"

    Note: Update successful.

    Once Update Successful, delete the self-signed cert:

    Thanks,

    Dom


    Security / System Center Configuration Manager Current Branch / SQL

    • Marked as answer by Felyjos Sunday, September 6, 2020 12:13 AM
    Sunday, September 6, 2020 12:13 AM