SSL Medium Strength CipherSuites Supported(SWEET32)

Oct 11, 2021
8
0
1
USA
cPanel Access Level
Root Administrator
Hello,

how do I resolve to avoid use of medium strength ciphers?

SSL Medium Strength Cipher Suites Supported (SWEET32)
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
SSL Medium Strength Cipher


Suites Supported


(SWEET32)


Medium 5.0 Reconfigure the affected application if possible to avoid use of medium strength ciphers.


1 Affected Host(s): 162.241.152.48


Initial Detection: 2021-10-04 19:40 UTC


Latest Detection: 2021-10-08 21:26 UTC


Description: The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as


any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.


Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.


SSL RC4 Cipher Suites Supported


(Bar Mitzvah)


Medium 5.0 Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM


suites subject to browser and web server support.


1 Affected Host(s): 162.241.152.48


Initial Detection: 2021-10-04 19:40 UTC


Latest Detection: 2021-10-08 21:26 UTC


Description: The remote host supports the use of RC4 in one or more cipher suites.


The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into


the stream, decreasing its randomness.


If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts,


the attacker may be able to derive the plaintext.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Thanks for that - that's exactly what I needed to see.

The reference number for that specific issue is CVE-2016-2183, which is 5 years old. We can see in the following article that versions 6 and 7 of the operating system, RedHat or CentOS, were not affected, as this only affected older machines with insecure OpenSSL tools:


If you run the following command on your server, you will likely see this patch included in the OpenSSL updates:

Code:
rpm -q openssl --changelog | grep CVE-2016-2183
If you do get output from that command, I would reach out to your scanning service to let them know this is a false positive.
 
Oct 11, 2021
8
0
1
USA
cPanel Access Level
Root Administrator
ok and what about the SSH Server CBC Mode Ciphers Enabled?
so I should report it as a false positive instead of doing something that would prevent the scan from seeing that in the first place?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Most likely yes - the way many operating systems work is that they update through a process called "backporting" - in many cases, this causes fixes to be applied even though the version number of the software doesn't update. It's possible the scanning tool is just looking at the version of the software on the machine and not actually checking the CVEs themselves.