Summary

On March 3rd, 2015, vulnerability CVE-2015-0204, or “FREAK,” was discovered in the OpenSSL protocol. This vulnerability allows a malicious third party to downgrade the security of an SSL connection, potentially decrypting and accessing secure data.

Moka5 server components are affected, but can be protected with configuration changes. This article describes how to protect your Management Servers and Image Store Servers.

Applies to

• Moka5 4.2 - 4.0 Management Server
• Moka5 4.2 - 4.0 Image Store Server

Expected Resolution

This vulnerability will be removed in Moka5 4.3. The server and client infrastructure will each be updated to remove the option for lower-security traffic to be transmitted between them.

Description

On March 3rd, 2015, a vulnerability was discovered in the OpenSSL protocol. This vulnerability (CVE-2015-0204) is codenamed the “Factoring attack on RSA-EXPORT Keys,” or “FREAK” vulnerability. The vulnerability was rated as having a Moderate impact. It allows a malicious third party to downgrade the security of an SSL connection, potentially decrypting and accessing secure data.

When data travels between Moka5 servers and endpoints (such as browsers or clients), it is encrypted and protected by RSA keys. The FREAK vulnerability allows a third party to downgrade the connection between Moka5 servers and clients to use an insecure “export-grade” RSA key. These keys can then be decrypted to reveal protected data.

Moka5 server components are vulnerable to FREAK, but can be protected by disabling the affected SSL cipher in the Management Server’s properties file.

Moka5 client components are also vulnerable to FREAK, but do not need to be updated. Modifying the SSL ciphers in the Management Server’s properties file will protect the client from FREAK, because the client will no longer receive traffic using “export-grade” RSA keys.

How can I protect my data?

Correct this vulnerability by removing the export-grade encryption cipher from the Management Server’s list of accepted ciphers. This will prevent the server from sending protected information with a low-security key.

To remove the cipher, modify the cipher list by editing the "connector.apr.ciphers" property in the Moka5 server installation directory’s "conf" directory.

1. Open the “conf” directory in the Moka5 Server installation directory.
2. Open the connector properties file in a text editor. If you are using default installation settings, the connector properties file will be named "connector-mgmt.properties."
3. Add the following property to the connector properties file:
   connector.apr.ciphers=AES256+EECDH,AES256+EDH,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA,ECDHE-RSA-DES-CBC3-SHA,EDH-RSA-DES-CBC3-SHA,AES256-GCM-SHA384,AES128-GCM-SHA256,AES256-SHA256,AES128-SHA256,AES256-SHA,AES128-SHA,DES-CBC3-SHA,HIGH,\!aNULL,\!eNULL,\!EXPORT,\!DES,\!MD5,\!PSK,\!RC4
4. Save the properties file.
5. Restart the server service to finish applying the settings.