Root CA SHA1 + Misc PenTest Results
Good afternoon follow firewallers!
I'm currently poking around with some vulnerability scans on our internal network, and the following items came up on the box running the Watchguard Management Server software:
Port 4109: weak signature algorithm (SHA1)
Port 4130: weak signature algorithm (SHA1)
Port 4130: Deprecated TLS1.0/TLS 1.1 detected
Port 4130: Missing 'HttpOnly' Cookie Attribute
Port 4130: Missing 'Secure' Cookie Attribute
Port 4112: weak signature algorithm (SHA1)
Regarding the SHA1 issues, it seems these stem from the Watchguard Root CA that's installed when installing Watchguard management server. A fresh install on a test VM seem to use SHA256 for the root CA, so I presume that the SHA1-signed version I currently have is a carryover from an earlier version that has persisted through updates. However, I don't see any way of regenerating it from the UI (I already tried regenerating the management server cert, and that got an SHA1 signature), nor can I find any instructions in the documentation. Is there a supported method of replacing this with an SHA256-signed version?
With respect to the TLS1.0/1.1 and missing cookie attributes, can anything be done about those currently? I presume I can modify the apache config to remove the TLS versions, but will that have any adverse effect?
Thanks as always!