Coordinator Point Server (CPS) SSL/TLS Vulnerabilities (SWEET32, RC4, 3DES, DH)

book

Article ID: 100063232

calendar_today

Updated On:

Description

Error Message

Security Scan reports the following vulnerabilities.

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) TLS/SSL Server Supports 3DES Cipher Suite TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication Diffie-Hellman group smaller than 2048 bits

Using nmap for the same scan.

# nmap -sV --script ssl-enum-ciphers -p 443

--CUT--

| warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Key exchange (dh 1024) of lower strength than certificate key

Cause

Vulnerable Cipher Suite being allowed

Resolution

Update the cipher suites configuration to disable vulnerable cipher suites, and restart the CPSSG group.

1. Update /etc/vxcps_ssl.properties .

From:

openSSL.server.cipherList = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

To:

openSSL.server.cipherList = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!RC4:!3DES:!DHE

2. Restart CPSSG group.

# hagrp -offline CPSSG -any
# hagrp -online CPSSG -any

Issue/Introduction

Coordinator Point Server (CPS) SSL Vulnerabilities (SWEET32, RC4, 3DES, DH)

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"