locked
Server Vulnerability Report RRS feed

  • Question

  • Hi,

    This is a report generated during a vulnerability scan of My AD server.

    Please suggest the actions to be performed for these outputs taken.

    • SSL Certificate Expiry         
      This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired.
      Recommendation:
      Purchase or generate a new SSL certificate to replace the existing one.
      Affected IPs: x.x.x.x
    • SSL Version 2 and 3 Protocol Detection
      The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affe cted by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
      NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.
      Recommendation:
      Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.
      Affected IPs: x.x.x.x
    • SSL Weak Cipher Suites Supported
      The remote host supports the use of SSL ciphers that offer weak encryption.
      Recommendation:
      Reconfigure the affected application, if possible to avoid the use of weak ciphers.
      Affected IPs: x.x.x.x
    • SSL Certificate with Wrong Hostname
      The common Name (CN) of the SSL certificate presented on this service is for a different machine.
      Recommendation:
      Purchase or generate a proper certificate for this service.
      Affected IPs: x.x.x.x
    • SSL Certificate Cannot Be Trusted
      The server's X.509 certificate does not have a signature from a known public certificate authority.  This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted. First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority.  This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.  Second, the certificate chain may contain a certificate that is not valid at the time of the scan.  This can occur either when the scan occurs before one of the certificate's 'not Before' dates, or after one of the certificate's 'not After' dates. Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified.   Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.  Signatures that could not be verified are the result of the c ertificate's issuer using a signing algorithm that Nessus either does not support or does not recognize.  If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.
      Recommendation:
      Purchase or generate a proper certificate for this service.
      Affected IPs: x.x.x.x
    • SSL Self-Signed Certificate
      The X.509 certificate chain for this service is not signed by a recognized certificate authority.  If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.
      Recommendation:
      Purchase or generate a proper certificate for this se rvice.
      Affected IPs: x.x.x.x
    • SSL RC4 Cipher Suites Supported (Bar Mitzvah)
      The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly enc rypted (e.g., HTTP cookies), and an
      attacker is able to obtain many (i.e., tens of millions) cipher texts, the attacker may be able to derive the plaintext.
      Recommendation:< /span>
      Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.
      Affected IPs: x.x.x.x
    • SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
      At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits. Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.
      Recommendation:
      Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate.
      Affected IPs: x.x.x.x
    • SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
      The remot e host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a sel ected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service. The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients; however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism. This is a vulnerability in the SSLv3 specification, not in any
      particular SSL implementation. D isabling SSLv3 is the only way to completely mitigate the vulnerability.
      Recommendation:
      Disable SSLv3.
      Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.
      Affected IPs: x.x.x.x



      < b>SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)    Disable SSLv3. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.

    Thank You.

    Wednesday, October 19, 2016 11:51 AM

Answers