|
Funny... 2005 is part of the admin server. Open a DCR and ask for strong
encryption there...
But really? Do you let 2005 and 2001 through your firewall? I wouldn't.
If it's not visible from outside your network, I wouldn't be that
concerned, unless you have "gangstas" inside trying to crack into your
admin instance. Then it becomes physical security... from where could
you access those ports kind of question.
On 02/16/2011 02:55 PM, rob@xxxxxxxxx wrote:
We've contracted with IBM to perform some threat analysis of our network.the
We get these qualsys reports of our vulnerabilities.
One vulnerability is that our SSL Server Supports Weak Encryption
Vulnerability.
What does one do about this?
Details of threat are below:
Level 3 SSL Server Supports Weak Encryption Vulnerability port 2005/tcp
over SSL
QID: 38140
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 05/28/2009
User Modified: -
Edited: No
THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication
between a client and a server.
SSL encryption ciphers are classified based on encryption key length as
follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt.
Commercial SSL servers should only support MEDIUM or HIGH strength
ciphers to guarantee transaction security.
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 protocol (
http://www.schneier.com/paper-ssl-revised.pdf)
Please note that this detection only checks for weak cipher support at
SSL layer. Some servers may implement additional protection at the datafile
layer. For example, some SSL servers and SSL proxies (such as SSL
accelerators) allow cipher negotiation to complete but send back an error
message and abort further communication on the secure channel. This
vulnerability may not be exploitable for such configurations.
IMPACT:
An attacker can exploit this vulnerability to decrypt secure
communications without authorization.
SOLUTION:
Disable support for LOW encryption ciphers.
Apache
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl include the following line in the configuration
(httpsd.conf):(Windows
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Tomcat
sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"
IIS
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols
in Schannel.dll
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030)
restart required)(Windows
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet
Information Services
(http://support.microsoft.com/default.aspx?scid=kb;en-us;187498)
restart required)
Security Guidance for IIS (
http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For Novell Netware 6.5 please refer to the following document
SSL Allows the use of Weak Ciphers. -TID10100633 (
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
SSLv3 WEAK CIPHERS
EDH-RSA-DES-CBC-SHA DH RSA SHA1 DES(56) LOW
EXP-EDH-RSA-DES-CBC-SHA DH(512) RSA SHA1 DES(40) LOW
DES-CBC-SHA RSA RSA SHA1 DES(56) LOW
EXP-DES-CBC-SHA RSA(512) RSA SHA1 DES(40) LOW
EXP-RC4-MD5 RSA(512) RSA MD5 RC4(40) LOW
Rob Berendt
--
"When I die, I want to die like my grandmother who died peacefully
in her sleep. Not screaming like all the passengers in her car."
- Author Unknown
===========================================================
R Bruce Hoffman
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.