|
| TC: | 12052 | |
| Description: | SSL is a network layer that allows privacy in communications. Though secure per se, erroneous configuration could lead to a security compromise. This can be the case if the encryption algorithm used is not strong enough (40 or 56 bits encryption). An attacker with the ability to capture network traffic between a client and your server could then fully decrypt the communication. This issue is a SSL layer vulnerability and not a application layer vulnerability (no extra security configuration as encapsulated protocol restrictions or third party tools filters will be tested). | |
| TC Impact: | Gather Info |
| Vulnerability Publication: | Unknown | |
| Advisory Copyright: | Unknown | |
| Summary: | An attacker could decrypt your communications and get access to confidential information. | |
| Risk: | Medium | |
| CVSS 2.0 metrics: | Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None | |
| CVSS 2.0 Base Score: | 4.3 |
| Vulnerability Impact: |
Gather Info Attack |
|---|
| Host Impact: | Disclosure of private information. | |
| Nature of Remediation: | Change the configuration. |
| Step required to fix the reported vulnerability: | |
***** Solution type: Update Configuration ***** Change the server configuration to refuse ciphers with less than 128 bits. This modification must be done directly on the SSL layer and not by a third party tools validating the cipher encryption level after establishing the SSL connection. Many different SSL implementation exist. You are advised to consult the vendor for the required configuration changes. See references for configuration changes related to specific operating systems, including Microsoft and BigIP. |
| References: | ||
| * MISC: RFC 2246 http://www.ietf.org/rfc/rfc2246.txt * MSKB: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll http://support.microsoft.com/default.aspx?scid=kb;en-us;245030 * MISC: Secure Socket Layer http://www.windowsecurity.com/articles/Secure_Socket_Layer.html * XF: ssl-weak-cipher-choice (31423) http://xforce.iss.net/xforce/xfdb/31423 * MSKB: How to control the ciphers for SSL and TLS http://support.microsoft.com/default.aspx?scid=kb;en-us;216482 * MISC: http://plynt.com/blog/2007/12/enforcing-strong-ssltls-cipher/ * MISC: BigIP - Restricting Weak Ciphers http://www.routerzone.eu/wiki/index.php/Restricting_Weak_SSL_Ciphers,_F5_BigIP |
| CVE Link: |
GENERIC-MAP-NOMATCH |
 |
|---|
| Glossary: |
HTTPS IIS Information Disclosure SSL TLS Weak Encryption Web browser Web Server |
|---|