Notifications

262 views

Description

EnforceFilePermissions.psm1 hashes with MD5 which is not compliant with FIPS security setting in Windows, causing MID Server Issue error 'This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms'.

This script implements the "File permission access" feature mentioned in the Orlando MID Server release notes.

The script's purpose is to lock down the folder permissions of the "agent" folder and its sub-folders to just:

  • SYSTEM
  • Builtin/Administrators (local Administrators)
  • if applicable, the specific user running the MID Server Windows service ("Log on as" user)

Steps to Reproduce

  1. Install a MID Server on a Windows Server with FIPS enabled
  2. Check the MID Server Issues table for the MID Server, and you see this error:
Issue source: 
MIDFilePermEnforcer

Short Description:
An unexpected error occurred: Exception calling "Create" with "1" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At C:\ServiceNow\Prod_Disco_MID\agent\bin\scripts\EnforceFilePermissions.psm1:365 char:5
+ $algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('MD5')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException

You cannot call a method on a null-valued expression.
At FC:\ServiceNow\Prod_Disco_MID \agent\bin\scripts\EnforceFilePermissions.psm1:368 char:5
+ $algorithm.ComputeHash($bytes) |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

Workaround

This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.

As a workaround, you can also avoid this security concern by using SHA1 instead for building hashes:

You need to follow below steps to enable SHA1 for hashing:

  1. Login to the mid server host
  2. Stop the mid server service
  3. Go to MID Server agent > bin >scripts folder.
  4. Open the EnforceFilePermissions.psm1 PowerShell Module file and find the below line in the script. (This should be around the line 365)
    $algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('MD5')
  5. Replace the above line with the below :
    $algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('SHA1')
  6. Save the file and restart the mid server service

Note: This error should only prevent the file system permission enforcement from happening, but it should not prevent the MID Server from working properly.

The workaround would be temporary as this file (bundled with the MID and not synced from the instance) would get overridden during the next upgrade or patch, and will need re-implementing.


Related Problem: PRB1383368

Seen In

Orlando Patch 1
SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - GRC Workbench - New York 2019 Q3
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - IRM - Vendor Risk Management - Madrid 2019 Q1
SR - ITBM - Agile 2.0 Dashboards v1.0
SR - ITBM - Scrum Dashboards Common v1.0
SR - ITOM - CMDB CI Class Models - 201908
SR - ITOM - Discovery and Service Mapping - 201908
SR - PAR - Performance Analytics Content Pack for Service Portal - v1.0
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - ArcSight Logger Integration - Madrid 2019 Q1
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Security Incident Response UI Patch - London 2019 Q2 v.6.2.3
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - SIR - Threat intelligence - New York 2019 Q3

Fixed In

Orlando Patch 7
Paris

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-09-17 07:37:30
Published:2020-07-30