Posts Tagged ‘Tenable’

SSL 64-bit Block Size Cipher Suites Supported ( 3DES -CBCSHA Ciphers, RC4-MD5, RC4-SHA ) 

Legacy block ciphers having a block size of 64 bits are affected by a vulnerability, known as SWEET32. A man-in-the-middle attacker who has sufficient resources can exploit this
vulnerability via “birthday” attack By misusing the SWEET32 vulnerability, an attacker can send in a large volume of dummy data and get blocks of ciphertext that matches
that of the organisation.
Attack Process
1. The attacker sniffs all data sent to your customer (external user).
2. The attacker sends dummy data to your server until a key used for a customer matches the attacker’ssession key.
3. Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.

Fix

 https://gallery.technet.microsoft.com/Solve-SWEET32-Birthday-d2df9cf1

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

“Enabled”=dword:00000000

Server Version Disclosure

Default or misconfigured web servers often disclose the version at multiple locations like HTTP response headers, and at error pages. Attackers can perform banner-grabbing against the webserver by using netcat or telnet, which reveals the webserver, version, and operating system.

On IIS 7

Using the Registry key.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

On IIS 6 

2) 1. Install URLScan (this is a free tool available from Microsoft)
2. Open the URLScan.ini file with a text editor. The file is usually located in the
%WINDIR%System32InetsrvURLscan directory.
3. Search for the key RemoveServerHeader, which by default, is set to 0. Set the value to 1 in order to
remove the Server header.

SSLv3, TLS 1.0 protocols

If Poodle SSLv3 is enabled on any website, then it is vulnerable to a poodlebleed attack. The remote service accepts connections encrypted using SSL 3.0. These versions of SSL reportedly suffer from several cryptographic flaws.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
“Enabled”=dword:00000000

Disable SSL V2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Webserver HTTP Header Internal IP Disclosure

A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further targeted attacks. Internal IP addresses are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. This may also affect other web servers, web applications, web proxies, load balancers, and a variety of misconfigurations related to redirection.

IIS 7.0

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:”remote.server.domain.com”  /commit:apphost

IIS 6.0

To prevent internal IP address disclosure, take the following steps.
1. Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.
2. Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc
This will cause the IIS server to use the machine’s hostname rather than its IP address.

If running the above on IIS 7 you will get : 

ErrNumber: -2147463162 (0x80005006)
Error Trying To SET the Property: UseHostName

SSL/TLS DiffieHellman Modulus <=1024 Bits (Logjam)

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols, including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The current Modulus being used is a weak one and can be exploited by a determined hacker. Update to DHE-2048 Bits

Fix
Make sure that you have KB 3174644 installed on the affected server.
Run Regedit on the affected server
Navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
Create a new sub key named Diffie-Hellman (if it didn´t already exists)
Inside that create a new DWORD called “ServerMinKeyBitLength” with the value “00000800” (for 2048 bit)

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)