We've contracted with IBM to perform some threat analysis of our network.
We get these qualsys reports of our vulnerabilities.
One vulnerability is that our SSL Server Supports Weak Encryption
Vulnerability.
What does one do about this?
Details of threat are below:
Level 3 SSL Server Supports Weak Encryption Vulnerability port 2005/tcp
over SSL
QID: 38140
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 05/28/2009
User Modified: -
Edited: No
THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication
between a client and a server.
SSL encryption ciphers are classified based on encryption key length as
follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt.
Commercial SSL servers should only support MEDIUM or HIGH strength
ciphers to guarantee transaction security.
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 protocol (
http://www.schneier.com/paper-ssl-revised.pdf)
Please note that this detection only checks for weak cipher support at the
SSL layer. Some servers may implement additional protection at the data
layer. For example, some SSL servers and SSL proxies (such as SSL
accelerators) allow cipher negotiation to complete but send back an error
message and abort further communication on the secure channel. This
vulnerability may not be exploitable for such configurations.
IMPACT:
An attacker can exploit this vulnerability to decrypt secure
communications without authorization.
SOLUTION:
Disable support for LOW encryption ciphers.
Apache
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl include the following line in the configuration file
(httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Tomcat
sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"
IIS
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols
in Schannel.dll
(
http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030) (Windows
restart required)
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet
Information Services
(
http://support.microsoft.com/default.aspx?scid=kb;en-us;187498) (Windows
restart required)
Security Guidance for IIS (
http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For Novell Netware 6.5 please refer to the following document
SSL Allows the use of Weak Ciphers. -TID10100633 (
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
SSLv3 WEAK CIPHERS
EDH-RSA-DES-CBC-SHA DH RSA SHA1 DES(56) LOW
EXP-EDH-RSA-DES-CBC-SHA DH(512) RSA SHA1 DES(40) LOW
DES-CBC-SHA RSA RSA SHA1 DES(56) LOW
EXP-DES-CBC-SHA RSA(512) RSA SHA1 DES(40) LOW
EXP-RC4-MD5 RSA(512) RSA MD5 RC4(40) LOW
Rob Berendt
midrange.com
