SSL Medium Strength CipherSuites Supported(SWEET32)

[MacHelpNashville]

Hello,

how do I resolve to avoid use of medium strength ciphers?

SSL Medium Strength Cipher Suites Supported (SWEET32)
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
SSL Medium Strength Cipher


Suites Supported


(SWEET32)


Medium 5.0 Reconfigure the affected application if possible to avoid use of medium strength ciphers.


1 Affected Host(s): 162.241.152.48


Initial Detection: 2021-10-04 19:40 UTC


Latest Detection: 2021-10-08 21:26 UTC


Description: The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as


any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.


Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.


SSL RC4 Cipher Suites Supported


(Bar Mitzvah)


Medium 5.0 Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM


suites subject to browser and web server support.


1 Affected Host(s): 162.241.152.48


Initial Detection: 2021-10-04 19:40 UTC


Latest Detection: 2021-10-08 21:26 UTC


Description: The remote host supports the use of RC4 in one or more cipher suites.


The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into


the stream, decreasing its randomness.


If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts,


the attacker may be able to derive the plaintext.

 

[cPRex]

Hey there! Is this the result of a PCI scan? If so, can you let me know what service this was flagged on?

 

[MacHelpNashville]

it's my weekly CISA cyber hygiene scan.

findings.csv

Shared with Dropbox

www.dropbox.com

 

[cPRex]

Thanks for that - that's exactly what I needed to see.

The reference number for that specific issue is CVE-2016-2183, which is 5 years old. We can see in the following article that versions 6 and 7 of the operating system, RedHat or CentOS, were not affected, as this only affected older machines with insecure OpenSSL tools:

cve-details

If you run the following command on your server, you will likely see this patch included in the OpenSSL updates:

rpm -q openssl --changelog | grep CVE-2016-2183

If you do get output from that command, I would reach out to your scanning service to let them know this is a false positive.

 

[MacHelpNashville]

ok and what about the SSH Server CBC Mode Ciphers Enabled?
so I should report it as a false positive instead of doing something that would prevent the scan from seeing that in the first place?

 

[cPRex]

Most likely yes - the way many operating systems work is that they update through a process called "backporting" - in many cases, this causes fixes to be applied even though the version number of the software doesn't update. It's possible the scanning tool is just looking at the version of the software on the machine and not actually checking the CVEs themselves.