virus logo Intrusion Prevention

SSL.Server.Supports.Weak.Encryption.Vulnerability

description-logoDescription

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
During the SSL handshake, the SSL client and the SSL server negotiate which cipher to use for the session. The SSL server chooses a cipher from a list proposed by the SSL client. The list is sorted by preference with the first cipher in the list being the most preferred. A vulnerability exists if the list of ciphers submitted by the client has a mixture of LOW, MEDIUM and HIGH ciphers with a LOW grade cipher listed first, and the SSL server chooses to use the LOW grade cipher even though it supports at least one MEDIUM or HIGH grade cipher in the list.
Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security.

affected-products-logoAffected Products

SSL with weak encryption enabled on host

Impact logoImpact

An attacker can exploit this vulnerability to decrypt secure communications without authorization.

recomended-action-logoRecommended Actions

Disable support for LOW encryption ciphers.
Workaround:
1. For Apache:
1.1 For Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
1.2 For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2. For Tomcat
sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"
3. For IIS
Please refer to Microsoft Knowledge Base Article at:
http://support.microsoft.com/kb/187498
http://support.microsoft.com/kb/187498
http://technet.microsoft.com/en-us/library/dd450371%28WS.10%29.aspx

Coverage

IPS (Regular DB)
IPS (Extended DB)
ID 31224
Created Feb 28, 2012
Updated Feb 28, 2012
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon
Default Action Unavailable
Active
Profile Type N/A