Root CA SHA1 + Misc PenTest Results

Good afternoon follow firewallers!

I'm currently poking around with some vulnerability scans on our internal network, and the following items came up on the box running the Watchguard Management Server software:

Port 4109: weak signature algorithm (SHA1)
Port 4130: weak signature algorithm (SHA1)
Port 4130: Deprecated TLS1.0/TLS 1.1 detected
Port 4130: Missing 'HttpOnly' Cookie Attribute
Port 4130: Missing 'Secure' Cookie Attribute
Port 4112: weak signature algorithm (SHA1)

Regarding the SHA1 issues, it seems these stem from the Watchguard Root CA that's installed when installing Watchguard management server. A fresh install on a test VM seem to use SHA256 for the root CA, so I presume that the SHA1-signed version I currently have is a carryover from an earlier version that has persisted through updates. However, I don't see any way of regenerating it from the UI (I already tried regenerating the management server cert, and that got an SHA1 signature), nor can I find any instructions in the documentation. Is there a supported method of replacing this with an SHA256-signed version?

With respect to the TLS1.0/1.1 and missing cookie attributes, can anything be done about those currently? I presume I can modify the apache config to remove the TLS versions, but will that have any adverse effect?

Thanks as always!


  • Options

    What version of WSM are you using?

  • Options
    edited January 2023

    12.8.2 - same as what I used with the test VM fresh install

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Chris_Kelly

    The easiest way to deal with the cert issue is to stand up a new server and migrate the firewalls over to it. Replacing the cert will cause all the firewalls to fail to connect due to a cert mismatch, and you'd need to go touch each firewall in order to correct that in Setup -> Managed device settings. Standing up a new server allows you to move the appliances in a controlled manner over to the new server.

    TLS can be modified in the apache server settings, but if you have any older firewalls (12.4 or so, or older) they may have trouble connecting if you modify this.

    The certs presented on 4130 aren't specifically all for webpages, so depending on what cert you're seeing, this may not be possible. I'd suggest opening a support case with your results if you'd like to delve into that more.

    -James Carson
    WatchGuard Customer Support

  • Options

    Thanks for the response James, always appreciated :)

    I've only got 2 firewalls to worry about, so I may just switch both of them to unmanaged, uninstall the existing server and re-install it fresh. Presumably this will have the same effect?

    Would there be any way of preserving/carrying over the configuration change history for the boxes and the configuration templates?

    Thanks again!

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Unfouranetely, the config history is going to be part of the backup file that also contains the certs, so it's not going to be possible to do this. Management server will basically replace itself with the entire backup file if it's restored.

    Management server does save config histories in the directory that the server is installed in (there should be a configs folder) -- however, the folders are just serialized in the order the firewalls were added to the server, so moving the folders over won't index them into the history properly.

    If you need to retain the config history for the time being, I'd suggest making a backup file and holding onto that until you build a config history on the new server.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.