-
Notifications
You must be signed in to change notification settings - Fork 0
SSL Medium Strength Cipher Suites Supported (SWEET32)
Supporting medium strength cipher suites, specifically those vulnerable to the SWEET32 attack, poses a significant security risk to data transmitted over SSL/TLS. These cipher suites typically use 64-bit block ciphers, which are susceptible to birthday attacks that can decrypt sensitive information, such as session cookies.
- Severity: High
The continued use of medium strength cipher suites, particularly 3DES and Blowfish, can lead to:
- Data Disclosure: Successful exploitation allows attackers to intercept and decrypt HTTPS traffic, gaining access to sensitive data.
- Loss of Data Integrity: Potential for data tampering and unauthorized actions within a user session.
- Compliance Failures: Non-compliance with security standards and regulations requiring strong encryption practices.
This vulnerability is primarily caused by:
- Legacy Compatibility: Continued support for older cipher suites to maintain compatibility with legacy systems.
- Misconfiguration: Incorrect server configuration that does not prioritize strong cipher suites.
- Lack of Security Awareness: Insufficient awareness about the risks associated with older, weaker encryption algorithms.
Implementing strong encryption practices and phasing out vulnerable cipher suites are critical steps to mitigate this vulnerability.
- Disable Weak Ciphers:
- Update the server configuration to disable medium strength cipher suites, particularly those using 64-bit block ciphers like 3DES and Blowfish.
- Configure Preferred Cipher Suites:
- Explicitly specify stronger cipher suites in your server configuration. For example, prefer AES with key sizes of 128 bits or higher.
- Use server directives to specify cipher order, ensuring the use of the most robust ciphers first.
- Regular Security Audits:
- Conduct regular audits and vulnerability assessments to identify and address configurations that permit weak ciphers.
- Use tools like SSL Labs' SSL Test to evaluate the server’s SSL configuration and make necessary adjustments.
Disabling Medium Strength Ciphers in Apache:
Edit your Apache SSL configuration to exclude medium strength ciphers:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder onRestart Apache to apply the changes:
sudo systemctl restart apache2Testing Cipher Suite Configuration:
Verify that the server no longer supports medium strength ciphers using the following OpenSSL command:
openssl s_client -connect yourserver.com:443 -cipher 3DESIf properly configured, the connection should fail or not utilize the specified weak cipher.
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities