SSL/TLS multiple vulnerabilities

SSL 64-bit Block Size Cipher Suites Supported (Sweet32)

 
The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher
suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak
64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this
vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed
secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS
cookies, and possibly resulting in the hijacking of an authenticated session.
 
The SSLv3.0/ TLSv1.0 Protocol Has a Weak CBC-Mode Vulnerability (BEAST)
 
SSL v3.0 and TLS v1.0 protocols are used to provide integrity, authenticity and privacy to other
protocols such as HTTP and LDAP. They provide these services using encryption for privacy,
x509 certificates for authenticity and one-way hash functions for integrity. In order to encrypt
data, SSL and TLS can use block ciphers, which are encryption algorithms that can encrypt only
a fixed block of original data to an encrypted block of the same size. Note that these ciphers will
always obtain the same resulting block for the same original block of data. In order to achieve a
difference in the output, the output of encryption is XORed with yet another block of the same
size referred to as initialization vectors (IVs). A special mode of operation for block ciphers
known as CBC (cipher block chaining) uses one IV for the initial block and the result of the
previous block for each subsequent block to obtain a difference in the output of block cipher
encryption.
 
In SSLv3.0 and TLSv1.0 implementation, the choice of the CBC mode usage was poor because
the entire traffic shares one CBC session with a single set of initial IVs. The rest of the IVs are,
as mentioned above, results of the encryption of the previous blocks. The subsequent IVs are
available to the eavesdroppers. This allows an attacker with the capability to inject arbitrary
traffic into the cleartext stream (to be encrypted by the client) to verify their guess of the
cleartext preceding the injected block. If the attacker's guess is correct then the output of the
encryption will be the same for two blocks.
 
If the authentication cookie is guessed by the attacker then the attacker can impersonate the
legitimate user on the website, which accepts the authentication cookie.
 
The remote server has SSLv3 / TLS1.0 Enabled
 
SSLv3 and TLS 1.0 is enabled on this host. These have been deprecated, and due to pervasive
security flaws, is not recommended for use.
 
SSL RC4 Cipher Suites Supported
 
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS ) protocols provide
integrity, confidentiality and authenticity services to other protocols that lack these features.
SSL/TLS protocols use ciphers such as AES, DES, 3DES and RC4 to encrypt the content of the
higher layer protocols and thus provide a confidential service. Normally, the output of an
encryption process is a sequence of seemingly random bytes. It was known that RC4 output has
some kind of bias in the output and it has been recently discovered by a group of researchers that
the bias is strong. This makes statistical analysis of ciphertext more practical. The described
attack is to inject a malicious JavaScript into the victim's browser, which would ensure that there
are multiple connections being established with a target website and the same HTTP cookie is
sent multiple times to the website in an encrypted form. This provides the attacker with a large
set of ciphertext samples that can be used for statistical analysis.
 
The site uses invalid SSL certificates that an adversary might exploit
 
The SSL certificates used by the server are invalid. They have the following errors:
 The SSL certificates are self-signed. 
 SSL certificate contains a wildcard.

 SSL certificate future expiry

When the certificate has an error, visitors to the site will receive an error message warning them
that the certificate is invalid. They will be provided with the option of continuing to use the site
or exiting it. New users might get concerned and leave the site. Regular users might become used
to seeing the error message and start ignoring it.

Once regular users start ignoring the error message, an adversary can easily impersonate the site
with a fake SSL certificate created by the adversary. The fake site will also display a similar
error message. Since regular users are familiar with SSL error messages on this site, they will not
realize that this latest error message is from a fake site. They would trust the fake site (with its
fake SSL certificate) as much as they trust this site.

SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)

An oracle padding attack has been described for SSLv3 when a cipher block chaining (CBC)
mode ciphersuite is selected.  In this scenario, an attacker may be able to decrypt sensitive
information such as authentication cookies without knowing the encryption key.  This attack
requires that the adversary can exert control over the request path and body of HTTPS requests
between a targeted client and server.  The attacker must also be able to modify SSL records in
transit to the server.  When these requirements are met, the attacker can perform repeated
requests and use the server's response to decrypt specific bytes in the HTTP headers.  Successful
exploitation can allow an attacker to hijack authenticated sessions.

Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure

The remote host is affected by an information disclosure vulnerability. The SSL/TLS service
supports RSA key exchanges and incorrectly leaks whether or not the RSA key exchange sent by
a client was correctly formatted. This information can allow an attacker to decrypt previous
SSL/TLS sessions or impersonate the server. The server leaks whether or not an RSA-encrypted
ciphertext is formatted correctly.
 
SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
 
The remote SSL/TLS server is vulnerable to FREAK attack when:
 
1. The "RSA+EXPORT" ciphers are supported.
2. The size of the RSA public key in certificate is not stronger than 1024.
3. The temporary RSA key size is less than 1024.
4. The temporary RSA key is stable(used multiple times).
Only SSLv3 and TLSv1 are potentially vulnerable.
 
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
 
The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than
or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in
a short amount of time (depending on modulus size and attacker resources). This may allow an
attacker to recover the plaintext or potentially violate the integrity of connections.
 
The server supports weak SSL ciphers
 
The remote host supports SSL ciphers that are weak (<=112 bits). This allows an adversary to
conduct man-in-the-middle attacks or decrypt communication between the server and client if the
client chooses to use the weak ciphers. Although this is difficult to exploit in practice, it is a
security best practice to disable support for weak ciphers.

Solution

Sweet32 vulnerability: Avoid use of all 64-bit block ciphers.

Beast vulnerability: Upgrade to the latest version of TLS. If upgrading is not possible, then
CBC-mode ciphers should be disabled.

TLS1.0/SSLv3 vulnerability: Upgrade to the latest version of TLS.

Weak strength cipher vulnerability: Reconfigure the affected application if possible to avoid

the use of medium strength ciphers (<=112 bits).

SSL RC4 ciphers: Disable RC4 ciphers

Invalid SSL certificate: Please use a valid SSL certificate from a trusted source. Verisign and
Thawte SSL certificates are trusted by all browsers. Also, ensure that the Subject Common Name
matches the server's FQDN.

Freak vulnerability: Disable RSA_EXPORT cipher suites and do not use temporary RSA key
multiple times.

Logjam: Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
Robot vulnerability: Upgrade to a patched version of the software. Alternatively, disable RSA
key exchanges.

Results

Vulnerability Risk Port Comment

The site uses invalid SSL certificates that an adversary might SSL certificate is self
Low 4433/tcp
exploit signed
The site uses invalid SSL certificates that an adversary might SSL certificate cannot
Info 4433/tcp
exploit be trusted
The site uses invalid SSL certificates that an adversary might SSL certificate is self
Low 4444/tcp
exploit signed
The site uses invalid SSL certificates that an adversary might SSL certificate cannot
Info 4444/tcp
exploit be trusted
SSL Server Has SSLv3 Enabled Medium 8443/tcp  
The remote server has TLS1.0 Enabled Low 8443/tcp  
The server supports weak SSL ciphers Medium 8443/tcp  
The site uses invalid SSL certificates that an adversary might SSL certificate uses a
Info 8443/tcp
exploit wildcard
The site uses invalid SSL certificates that an adversary might SSL certificate future
Low 8443/tcp
exploit expiry
The site uses invalid SSL certificates that an adversary might SSL certificate cannot
Info 8443/tcp
exploit be trusted
Return Of Bleichenbacher's Oracle Threat (ROBOT)
Medium 8443/tcp  
Information Disclosure
SSLv3 Padding Oracle Attack Information Disclosure
Medium 8443/tcp  
Vulnerability (POODLE)
SSL 64-bit Block Size Cipher Suites Supported (Sweet32) Medium 8443/tcp  
SSL/TLS Server Factoring RSA Export Keys (FREAK)
Medium 8443/tcp  
vulnerability
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) Medium 8443/tcp  
The SSLv3.0/ TLSv1.0 Protocol Has a Weak CBC-Mode
Medium 8443/tcp  
Vulnerability (BEAST)
SSL RC4 Cipher Suites Supported Medium 8443/tcp