SOLVED PCI Fails - Sweet32 on Ports 2083/2087

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
Today, my PCI scan failed because of the same issue Sweet32. However, this time it is on ports 2087 and 2083. I've changed nothing for 3 months and all was good. What did cpanel change that would have caused this?

CVE-2016-2183
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

Port: tcp/2083
Port: tcp/2087

This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.

CVE: CVE-2016-2183
NVD: CVE-2016-2183
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N

Service: http
Application: cpanel:cpanel
Reference:
CVE-2016-2183 - Red Hat Customer Portal
Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog
Evidence:
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA
 

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
Hi eglwolf,

It looks like you've already found one of the threads that concerns this issue:
SOLVED - PCI Scan Fails On Web Services Ports

Have you tried updating the cipher suite at WHM > Service Configuration >cPanel Web Services Configuration to one provided in the thread?:
SOLVED - PCI Scan Fails On Web Services Ports

Could you also confirm your current cPanel version and OS release? My test box shows this CVE patched in the openssl package:
Code:
# rpm -q openssl --changelog|grep -A1 2016-2183
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
  112 bit effective strength
We also have an internal case(CPANEL-11108) concerning disabling these ciphers by default, which was implemented in cPanel 66.

Thanks,
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
I made this change and it worked. I believe the recent cpanel update reset these settings that we previously had which caused it to fail.

cPanel Web Services Configuration
TLS/SSL Cipher List
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5