Qualys QID 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)
search cancel

Qualys QID 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)

book

Article ID: 377350

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

What are the steps needed to address the Qualys QID 42873 vulnerability reported on our DvTest 10.7.2 SP3 servers?

Plugin ID: 42873 
Plugin Name: SSL Medium Strength Cipher Suites Supported (SWEET32)
Plugin Output: 

Tenable Ciphername Cipher ID Code Key Exchange Authentication Symmetric Encryption Method Message Authentication Code
DES-CBC3-SHA  0x00, 0x0A RSA RSA 3DES-CBC(168) SHA1

Description: The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.

Environment

DevTest release 10.7.2 SP3

Resolution

  1. Stop all the DevTest services
  2. Open the file LISA_HOME\jre\lib\security\java.security in a text editor of your choice
  3. Comment out the existing entry "jdk.tls.disabledAlgorithms"
  4. Add the following entry:
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1.0,TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        include jdk.disabled.namedCurves,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \  
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \  
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \  
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
        TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, RC2, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,\
        TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\
        TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,\
        TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA,  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,\
        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA,\
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5,\
        TLS_KRB5_WITH_DES_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_NULL_SHA256
  5. Save the file
  6. Restart all DevTest Service
  7. Rescanned to verify the vulnerability has been addressed.
Powered by Wolken Software