Skip to main content
Delphix

TB099 Weak SSL/TLS Key Exchange for the Delphix Connector

 

 

 

Alert Type

Security

Impact

Delphix CVSS v3.1 Score:  7.6

Attack Vector (AV): A

Attack Complexity (AC): H

Privileges Required (PR): H

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

An attacker that is able to intercept and manipulate the network traffic between a Delphix Continuous Data (Virtualization) Engine and a connected Windows Environment Host (i.e. Man-in-the-Middle attack) could attack the TLS session setup and perform a cipher suite downgrade attack. This could result in the disclosure of the credentials that the Delphix Continuous Data (Virtualization) Engine uses to interact with the Windows Environment Host.

Contributing Factors

This article applies to the following versions of the Delphix Continuous Data (Virtualization) Engine and Delphix Windows Connector:

Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0, 6.0.16.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

 

Delphix Connector Major Release

All Sub Releases

6.0

1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0.0, 1.22.0.0, 123.0.0, 1.24.0.0, 1.25.0.0, 1.26.0.0

5.3

1.13.0, 1.14.0, 1.15.0, 1.16.0

5.2

1.9.0, 1.10.0, 1.11.0, 1.12.0

 

The currently installed Delphix Windows Connector version can be checked by following the steps provided in the 6.0.16 release notes: Checking the Windows Connector Version. As an alternative, PowerShell can be used to determine the version of the installed connector programmatically:

Get-ItemProperty

"HKLM:\SOFTWARE\$_\Microsoft\Windows\CurrentVersion\Uninstall\*"

| Where-Object { $_.DisplayName -eq 'DelphixConnector' } |

Select-Object -Expand DisplayVersion;

Symptoms

Weak ciphers identified on Environment Host by internal vulnerability scans.

Relief/Workaround

You can take steps to minimize the likelihood of abuse of this vulnerability by ensuring that networks are engineered and monitored to detect and prevent network based interception attacks. In addition, consider upgrading the Delphix Engine and the Windows Connector.

Resolution

This is addressed in the 6.0.17 release which includes updates to both the Delphix Continuous Data (Virtualization) Engine and Delphix Windows Connector; however, updates to the Delphix connector must be installed in a separate and subsequent step to upgrading the Delphix Engine. To mitigate the cipher suite downgrade vulnerability it is technically only necessary to upgrade the Delphix Engine. However, if you want to remove the weak cipher suite found from your internal vulnerability scans, you must upgrade the Delphix Connector to version 1.27.0.0. The updated connector is provided with the 6.0.17 release of the Delphix Engine.