SSL Medium Strength CipherSuites Supported(SWEET32)
Hello,
how do I resolve to avoid use of medium strength ciphers?
SSL Medium Strength Cipher Suites Supported (SWEET32)
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
SSL Medium Strength Cipher
Suites Supported
(SWEET32)
Medium 5.0 Reconfigure the affected application if possible to avoid use of medium strength ciphers.
1 Affected Host(s): 162.241.152.48
Initial Detection: 2021-10-04 19:40 UTC
Latest Detection: 2021-10-08 21:26 UTC
Description: The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as
any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
SSL RC4 Cipher Suites Supported
(Bar Mitzvah)
Medium 5.0 Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM
suites subject to browser and web server support.
1 Affected Host(s): 162.241.152.48
Initial Detection: 2021-10-04 19:40 UTC
Latest Detection: 2021-10-08 21:26 UTC
Description: The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.
If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts,
the attacker may be able to derive the plaintext.
-
Hey there! Is this the result of a PCI scan? If so, can you let me know what service this was flagged on? 0 -
Thanks for that - that's exactly what I needed to see. The reference number for that specific issue is CVE-2016-2183, which is 5 years old. We can see in the following article that versions 6 and 7 of the operating system, RedHat or CentOS, were not affected, as this only affected older machines with insecure OpenSSL tools: 0 -
ok and what about the SSH Server CBC Mode Ciphers Enabled? so I should report it as a false positive instead of doing something that would prevent the scan from seeing that in the first place? 0 -
Most likely yes - the way many operating systems work is that they update through a process called "backporting" - in many cases, this causes fixes to be applied even though the version number of the software doesn't update. It's possible the scanning tool is just looking at the version of the software on the machine and not actually checking the CVEs themselves. 0
Please sign in to leave a comment.
Comments
5 comments