Alert Logic has released an update to the Update Certificate remediation and related exposures to make it easier for customers to address or dismiss these items based on their preferences. With this change, the Update Certificate remediation and related exposures for the Remote Desktop Protocol (RDP) service have been separated from non-RDP exposures/remediations, allowing you to manage TLS and SSL certificate exposures separately for RDP and non-RDP ports.
What is the Update Certificate remediation?
The purpose of the Update Certificate remediation is to alert customers when TLS/SSL certificates need to be updated to resolve up to 27 related exposures, such as the “TLS.SSL Self-signed Certificate” exposure. These exposures can be found on multiple ports on an affected asset, including both non-RDP and RDP ports.
With this release, two Update Certificate remediations are now available, one for non-RDP exposures and one for RDP exposures. To make this possible, the 27 related exposures have also been separated, creating 27 new exposures specifically for RDP, while the original 27 exposures remain for non-RDP assets.
You can check for this remediation in the Alert Logic console at (navigation menu) > Respond > Exposures. To view exposures, click the View drop-down and select Exposures.
Why is this change being made?
Many customers are not concerned when these exposures are found for the RDP service (commonly run on TCP Port 3389), since an RDP Gateway can be used in front of the asset. However, you may want to address or resolve TLS and SSL exposures for non-RDP ports (such as port 443) and have the Update Certificate remediation return once the certificates are expired or new assets are detected with non-RDP ports.
Previously, since only one remediation was available for both non-RDP and RDP ports, customers were not able to only dispose of the RDP exposures. This resulted in customers either dismissing the remediation for ALL ports or excluding RDP ports from scanning, both of which eliminated more exposures than desired.
Now, two Update Certificate remediations are available to allow customers to address TLS/SSL exposures independently for non-RDP and RDP ports.
When will I see this change?
You may be seeing this change already, based on when your scans execute. Once your next scans complete, any SSL vulnerabilities that were previously disposed of on RDP ports will surface again in Exposures and Remediations views to allow you to address them appropriately.
For example, if you disposed of the SSL.TLS Self-signed Certificate (that was only on port 3389), then it would now appear on the Exposures page as “SSL.TLS Self-signed Certificate on RDP” and the new Update Certificate for RDP remediation will display when viewing remediations. Any existing SSL vulnerabilities on non-RDP services that were previously disposed of will not be affected.