Azure application gateway (SSL Certificate – Signature verification Failed Vulnerability and SSL Certificate – Subject Common Name Does Not Match server FQDN)

Rafael Campos 1 Reputation point
2022-03-24T18:39:39.27+00:00

I have Azure application gateway with WAF wich have many backends and but Qualys did scan about several Ips associate this azure application gateway and found vulnerabilite like (SSL Certificate – Signature verification Failed Vulnerability and SSL Certificate – Subject Common Name Does Not Match server FQDN), does anyone know about these vulnerabilities? This vulnerabilities is new for me.

Thank you very much

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2022-03-28T10:46:58.967+00:00

    Hello @Rafael Campos ,

    I understand that you had a Qualys scan on your Application gateway WAF and found a vulnerability like "SSL Certificate – Signature verification Failed Vulnerability and SSL Certificate – Subject Common Name Does Not Match server FQDN" and would like to know more information about this vulnerability.

    The SSL related issues/vulnerabilities are very likely related to your certificate in the backend server/pool of Application gateway.
    I've seen the below Qualys scan vulnerability which advises to fix this issue by installing a server certificate whose Subject commonName or subjectAltName matches the server FQDN.

    Title:
    SSL Certificate - Subject Common Name Does Not Match Server FQDN

    Threat:
    An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
    A certificate whose Subject commonName or subjectAltName does not match the server FQDN offers only encryption without authentication.
    Please note that a false positive reporting of this vulnerability is possible in the following case:
    If the common name of the certificate uses a wildcard such as *.somedomainname.com and the reverse DNS resolution of the target IP is not configured. In this case there is no way for Qualys to associate the wildcard common name to the IP. Adding a reverse DNS lookup entry to the target IP will solve this problem.

    Impact:
    A man-in-the-middle attacker can exploit this vulnerability in tandem with a DNS cache poisoning attack to lure the client to another server, and then steal all the encryption communication.

    Solution:
    Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN.

    For more information and how to fix the invalid common name issue for Application gateway, you could follow the below troubleshooting doc:
    https://video2.skills-academy.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-certificate-invalid-common-name-cn

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.