{"id":4730,"date":"2020-07-21T00:54:15","date_gmt":"2020-07-21T00:54:15","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=4730"},"modified":"2024-03-20T03:49:08","modified_gmt":"2024-03-20T03:49:08","slug":"fixing-tenable-remediations-from-scan","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/fixing-tenable-remediations-from-scan","title":{"rendered":"Fixing Tenable Remediations from Scan"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">SSL 64-bit Block Size Cipher Suites Supported ( 3DES -CBCSHA Ciphers, RC4-MD5, RC4-SHA )&nbsp;<\/h3>\n\n\n\n<p>Legacy block ciphers having a block size of 64 bits are affected by a vulnerability, known as SWEET32. A man-in-the-middle attacker who has sufficient resources can exploit this<br>vulnerability via \u201cbirthday\u201d attack By misusing the SWEET32 vulnerability, an attacker can send in a large volume of dummy data and get blocks of ciphertext that matches<br>that of the organisation.<br>Attack Process<br>1. The attacker sniffs all data sent to your customer (external user).<br>2. The attacker sends dummy data to your server until a key used for a customer matches the attacker\u2019ssession key.<br>3. Once there\u2019s a match, sensitive data can be decrypted by determining how the key was chosen.<\/p>\n\n\n\n<p><strong>Fix<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/gallery.technet.microsoft.com\/Solve-SWEET32-Birthday-d2df9cf1\">https:\/\/gallery.technet.microsoft.com\/Solve-SWEET32-Birthday-d2df9cf1<\/a><\/p>\n\n\n\n<p>And<\/p>\n\n\n\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\DES 56\/56<\/p>\n\n\n\n<p>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168<\/p>\n\n\n\n<p>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 56\/128<\/p>\n\n\n\n<p>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 40\/128<\/p>\n\n\n\n<p>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 128\/128<\/p>\n\n\n\n<p>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Server Version Disclosure<\/h3>\n\n\n\n<p>Default or misconfigured web servers often disclose the version at multiple locations like HTTP response headers, and at error pages. Attackers can perform banner-grabbing against the webserver by using netcat or telnet, which reveals the webserver, version, and operating system.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">On IIS 7<\/h4>\n\n\n\n<p>Using the Registry key.<\/p>\n\n\n\n<p>Create a DWORD entry called&nbsp;<strong>DisableServerHeader<\/strong>&nbsp;in the following Registry key and set the value to&nbsp;<strong>1<\/strong>.<\/p>\n\n\n\n<p>HKLM\\SYSTEM\\CurrentControlSet\\Services\\HTTP\\Parameters<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">On IIS 6&nbsp;<\/h4>\n\n\n\n<p>2) 1. Install URLScan (this is a free tool available from Microsoft)<br>2. Open the URLScan.ini file with a text editor. The file is usually located in the<br>%WINDIR%System32InetsrvURLscan directory.<br>3. Search for the key RemoveServerHeader, which by default, is set to 0. Set the value to 1 in order to<br>remove the Server header.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SSLv3, TLS 1.0 protocols<\/h3>\n\n\n\n<p>If Poodle SSLv3 is enabled on any website, then it is vulnerable to a poodlebleed attack. The remote service accepts connections encrypted using SSL 3.0. These versions of SSL reportedly suffer from several cryptographic flaws.<\/p>\n\n\n\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Schannel\\Protocols\\SSL 3.0\\Server]<br>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<p>Disable SSL V2<\/p>\n\n\n\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Schannel\\Protocols\\SSL 2.0\\Server]<br>&#8220;Enabled&#8221;=dword:00000000<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Webserver HTTP Header Internal IP Disclosure<\/h3>\n\n\n\n<p>A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further targeted attacks. Internal IP addresses are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. This may also affect other web servers, web applications, web proxies, load balancers, and a variety of misconfigurations related to redirection.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">IIS 7.0<\/h4>\n\n\n\n<p>appcmd.exe set config -section:system.webServer\/serverRuntime \/alternateHostName:&#8221;remote.server.domain.com&#8221;&nbsp; \/commit:apphost<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">IIS 6.0<\/h4>\n\n\n\n<p>To prevent internal IP address disclosure, take the following steps.<br>1. Open a command prompt and change the current directory to c:\\inetpub\\adminscripts or to where the adminscripts can be found.<br>2. Run the commands<br>adsutil set w3svc\/UseHostName True<br>net stop iisadmin \/y<br>net start w3svc<br>This will cause the IIS server to use the machine&#8217;s hostname rather than its IP address.<\/p>\n\n\n\n<p>If running the above on IIS 7 you will get :&nbsp;<\/p>\n\n\n\n<p>ErrNumber: -2147463162 (0x80005006)<br>Error Trying To SET the Property: UseHostName<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SSL\/TLS DiffieHellman Modulus &lt;=1024 Bits (Logjam)<\/h3>\n\n\n\n<p>Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols, including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The current Modulus being used is a weak one and can be exploited by a determined hacker. Update to DHE-2048 Bits<\/p>\n\n\n\n<p><strong>Fix<\/strong><br>Make sure that you have KB 3174644 installed on the affected server.<br>Run Regedit on the affected server<br>Navigate to the following Registry location: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SChannel\\KeyExchangeAlgorithms<br>Create a new sub key named Diffie-Hellman (if it didn\u00b4t already exists)<br>Inside that create a new DWORD called &#8220;ServerMinKeyBitLength&#8221; with the value &#8220;00000800&#8221; (for 2048 bit)<\/p>\n\n\n\n<p><strong>Server Version Disclosure<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open &#8220;Internet Information Services (IIS) Manager&#8221;.<\/li>\n\n\n\n<li>If you want to set the settings globally, click on your main server node:<img decoding=\"async\" src=\"https:\/\/i.stack.imgur.com\/fJBmy.png\" alt=\"select iis node\"><\/li>\n\n\n\n<li>Open the &#8220;Configuration Editor&#8221;<img decoding=\"async\" src=\"https:\/\/i.stack.imgur.com\/trFWX.png\" alt=\"open configuration editor\"><\/li>\n\n\n\n<li>To remove the&nbsp;<code>x-aspnet-version<\/code>&nbsp;response header, go to&nbsp;<em>system.web &gt;&gt; httpRuntime &gt;&gt; enableVersionHeader<\/em>&nbsp;and set it to&nbsp;<code>false<\/code><img decoding=\"async\" src=\"https:\/\/i.stack.imgur.com\/5mmgh.png\" alt=\"disable server response header\"><\/li>\n\n\n\n<li>To remove the IIS&nbsp;<code>server<\/code>&nbsp;response header, go to&nbsp;<em>system.webServer &gt;&gt; security &gt;&gt; requestFiltering &gt;&gt; removeServerHeader<\/em>&nbsp;and set it to&nbsp;<code>true<\/code><img decoding=\"async\" src=\"https:\/\/i.stack.imgur.com\/DOX2k.png\" alt=\"remove IIS server header\"><\/li>\n<\/ol>\n\n\n\n<p>For setting the values per site, just click on the site you want to apply the changes, and select the Configuration Editor from there.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SSL 64-bit Block Size Cipher Suites Supported ( 3DES -CBCSHA Ciphers, RC4-MD5, RC4-SHA )&nbsp; Legacy block ciphers having a block size of 64 bits are affected by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3308,3307,3312,3313,3306,3311,3309,3305,3310],"class_list":["post-4730","post","type-post","status-publish","format-standard","hentry","category-research","tag-iis6","tag-iis7","tag-rc4-md5","tag-rc4-sha","tag-server-version-disclosure","tag-ssl-64-bit-block-size-cipher-suites-supported-3des-cbcsha-ciphers","tag-sslv3","tag-tenable","tag-tls-1-0-protocols"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=4730"}],"version-history":[{"count":5,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4730\/revisions"}],"predecessor-version":[{"id":7799,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4730\/revisions\/7799"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=4730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=4730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=4730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}