Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Sweet32 (CVE-2016-2183)

Discussion in 'Security' started by grayloon, Nov 1, 2016.

Tags:
  1. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    102
    Likes Received:
    2
    Trophy Points:
    68
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    A recent scan from TrustWave is listing this vulnerability.

    Details: This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

    Remediation: This issue can by avoided by disabling block ciphers of 64 bit length (like DES/3DES) in all the SSL/TLS servers. Exact procedure depends on the actual implementation. Please refer to the documentation of your SSL/TLS server software.

    Can anyone confirm that the Apache SSL Cipher Suite should change from:
    To:
    I wasn't sure if all DES-CBC3 ciphers should be removed or just the last one in the list.
     
    friedmayofan likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The report from Trustwave does suggest removing all DES and 3DES-related ciphers, so your example is correct if that's what they require for compliance. You can read the OpenSSL article about this specific vulnerability on their website at:

    The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog

    There are some comments under the article regarding Trustwave that you may want to review.

    Thank you.
     
    friedmayofan likes this.
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,160
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello guys. I was about to ask the same question, cause removing all DES and 3DES-related ciphers will match the default config of ciphers proposed by cPanel. My question is... what browsers would become unable to open secured sites if those ciphers are removed?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Kent Brockman,

    There might be other examples of browsers using 3DES on end-of-life operating systems, however from what I've read this is only going to affect Windows XP users with IE6 or IE8.

    Thank you.
     
    Kent Brockman likes this.
Loading...

Share This Page