PCI Fails - Sweet32 on Ports 2083/2087
Today, my PCI scan failed because of the same issue Sweet32. However, this time it is on ports 2087 and 2083. I've changed nothing for 3 months and all was good. What did cpanel change that would have caused this?
CVE-2016-2183
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
Port: tcp/2083
Port: tcp/2087
This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.
NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.
CVE: CVE-2016-2183
NVD: CVE-2016-2183
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N
Service: http
Application: cpanel:cpanel
Reference:
CVE-2016-2183 - Red Hat Customer Portal
Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog
Evidence:
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA
-
Hi eglwolf, It looks like you've already found one of the threads that concerns this issue: SOLVED - PCI Scan Fails On Web Services Ports Have you tried updating the cipher suite at WHM > Service Configuration >cPanel Web Services Configuration to one provided in the thread?: SOLVED - PCI Scan Fails On Web Services Ports Could you also confirm your current cPanel version and OS release? My test box shows this CVE patched in the openssl package: # rpm -q openssl --changelog|grep -A1 2016-2183 - mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to 112 bit effective strength
We also have an internal case(CPANEL-11108) concerning disabling these ciphers by default, which was implemented in cPanel 66. Thanks,0 -
I made this change and it worked. I believe the recent cpanel update reset these settings that we previously had which caused it to fail. cPanel Web Services Configuration TLS/SSL Cipher List ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5 0
Please sign in to leave a comment.
Comments
2 comments