Project

General

Profile

Actions

Bug #4070

closed

Vulnerability SSL Weak Ciphers

Added by Koen de Boeve about 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
12/03/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1.5
Affected Architecture:

Description

openvas reports vulnerability:

Vulnerability Detection Result
Weak ciphers offered by this service:
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
TLS1_RSA_RC4_128_MD5
TLS1_RSA_RC4_128_SHA
Solution
The configuration of this services should be changed so that it does not support the listed weak ciphers anymore.

Vulnerability Insight
These rules are applied for the evaluation of the cryptographic strength:

- Any SSL/TLS using no cipher is considered weak.

- All SSLv2 ciphers are considered weak due to a design flaw within the SSLv2 protocol.

- RC4 is considered to be weak.

- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak.

- 1024 bit RSA authentication is considered to be insecure and therefore as weak.

- CBC ciphers in TLS < 1.2 are considered to be vulnerable to the BEAST or Lucky 13 attacks

- Any cipher considered to be secure for only the next 10 years is considered as medium

- Any other cipher is considered as strong

Actions #1

Updated by Chris Buechler almost 10 years ago

  • Status changed from New to Resolved
  • Target version set to 2.2

SSLv3 was disabled already in 2.2, I disabled the RC4 options a bit later in 2.2.

Actions

Also available in: Atom PDF