Airwave 7.2.4 security vulnerability with Anonymous Authentication via SSL
A customer reported that their Airwave 7.2.4 server failed a third-party security audit due to Anonymous Authentication being enabled for SSL connections on port 443.
Support investigation discovered that pound had the following configuration:
This is the list of ciphers that contain the vulnerability (indicated by the Au=None)
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
The proper configuration for pound (to limit only SSLv3 and no anonymous auth) should be:
to fix this on existing Airwave 7.2.4 installations you can edit the /etc/pound.cfg file and remove any authentication methods prefixed with "ADH". This only affects Airwave 7.2.4 at this time since pound replaced lighttpd in this revision.
Additional info on ciphers is available via " openssl ciphers -v 'ALL' "