none
Certificate Vulnerability on Windows 10 Pro RRS feed

  • Question

  • We ran the Nessus scan and on some PC’s, which are all Windows 10 1903 we are getting the following three errors.  These PCs are not running any IIS services.

    Number 1 -

    The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below :

      - First, the top of the certificate chain sent by the     server might not be descended from a known public     certificate authority. This can occur either when the     top of the chain is an unrecognized, self-signed     certificate, or when intermediate certificates are     missing that would connect the top of the certificate     chain to a known public certificate authority.

      - Second, the certificate chain may contain a certificate     that is not valid at the time of the scan. This can     occur either when the scan occurs before one of the     certificate's 'notBefore' dates, or after one of the     certificate's 'notAfter' dates.

      - Third, the certificate chain may contain a signature     that either didn't match the certificate's information     or could not be verified. Bad signatures can be fixed by     getting the certificate with the bad signature to be     re-signed by its issuer. Signatures that could not be     verified are the result of the certificate's issuer     using a signing algorithm that Nessus either does not     support or does not recognize.

    If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.

    Recommendation: Purchase or generate a proper certificate for this service. 

    The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown

    certificate authority :

    |-Subject : CN=PCName.Domian.local

    |-Issuer  : CN=PCName.Domian.local

    Number 2 -

    SSL Medium Strength Cipher Suites Supported (SWEET32)  The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.  Reconfigure the affected application if possible to avoid use of medium strength ciphers.    Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

        DES-CBC3-SHA                 Kx=RSA         Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1  

    The fields above are :  {OpenSSL ciphername}    Kx={key exchange}    Au={authentication}    Enc={symmetric encryption method}

      Mac={message authentication code}    {export flag}  

    CVE-2016-2183

    Number 3 -

    SSL Self-Signed Certificate  -  The X.509 certificate chain for this service is not signed by a recognized certificate authority.  If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.

    Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority. 

     Recommendation: Purchase or generate a proper certificate for this service. 

    The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities :

    |-Subject : CN=PCName.Domain.local

    How do I fix these?

    Thank you,

    Monday, October 28, 2019 9:33 PM

All replies

  • Hi, 

    Does the issue occur when use Windows Defender?

    Are they domain joined computers or local computers?

    What's the system build for those computers? Please press "winver" in run box to check.

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 29, 2019 6:54 AM
    Moderator
  • Does the issue occur when use Windows Defender?  No,  The Nessus scan we ran gave us the three errors and all the info.  I posted.  Windows Defender is turned off and we have Kaspersky running on all.

    Are they domain joined computers or local computers?  All computers are on a domain

    What's the system build for those computers? Windows 10 Version 1903 (OS Build 18362.418)

     


    • Edited by Jrlowyr Tuesday, October 29, 2019 1:34 PM
    Tuesday, October 29, 2019 1:32 PM
  • Hi, 

    Please could go to MMC console to check the existing certificate in certificate snap-in on server side. 

    As the error code is reported by the third party software Nessus which is mainly to look for whether your server has a trusted publicly signed certificate. When it doesn't find one, it is going to report to you that it is a vulnerability.

    Or you are using a very recent version of Nessus or their service, there is another potential problem that is some certificate have been compromised over the past few months, meaning someone has stolen or cracked their keys. 

    Here is a similar thread with yours, please take it as reference. 

    SSL Certificate Cannot Be Trusted

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    As it is reported by third party software rather than Windows Defender, I would recommend to ask for help from Nessus to check if they have any information about it. 

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 30, 2019 9:37 AM
    Moderator
  • This scan is saying that the Windows 10 PC has the Certificate Vulnerability.  Could the Certificate Propagation - Windows 10 Service be causing this?
    Wednesday, October 30, 2019 4:52 PM
  • Hi, 

    As no public official document released by Microsoft states about it, so we can't say which part or thread is the culprit. We recommend to ask help from Nessus support to check if they have any information about it.

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 1, 2019 9:40 AM
    Moderator