2023/04/24

弱點掃描 Vulnerable' cipher suites 處理

在用弱點掃描軟體做伺服器弱點檢查時,有些主機有下列這個弱點被掃出: 

Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

就是有3個TLS的連線協定用了不安全的密碼套件TLS_RSA_WITH_3DES_EDE_CBC_SHA。

網路上比較多的解決方法是用IISCrypto這套軟體,免安裝,直接在伺服器上執行,它會列出很多種連線協定跟密碼套件,把你不要的取消勾選按下套用,重開機,就好了。

也有人說要去改機碼,只是比較麻煩,用IISCrypto比較快。

所以我就在查了一下IISCrypto跟改機碼差在哪,結果是一樣的,IISCrypto背後的方式也是改機碼。

所以就決定自己用改機碼的方式在處理:

因為三個連線協定都是用同一個有問題的密碼套件,因此直接先停用這個密碼套件看看。

原本在Chiphers底下是沒有Triple DES 168,就直接新增,加入這段機碼

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

好了之後不用重開,直接在掃一次,就沒有這三個弱點出現了。


When conducting a vulnerability scan to check for server weaknesses, some hosts may exhibit the following vulnerability:

Vulnerable cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

Vulnerable cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

Vulnerable cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

These vulnerabilities involve the usage of insecure cipher suites, specifically TLS_RSA_WITH_3DES_EDE_CBC_SHA, across all three TLS connection protocols.

One commonly suggested solution found online is to use a software called IISCrypto. It can be executed directly on the server without installation. IISCrypto provides a comprehensive list of connection protocols and cipher suites, allowing users to deselect undesired options, apply the changes, and then reboot the server.

Another approach involves modifying the registry, although this method is considered more cumbersome compared to using IISCrypto, which is faster.

After researching the differences between IISCrypto and registry modification, I discovered that they achieve the same result, as IISCrypto utilizes changes to the registry behind the scenes.

Therefore, I decided to handle the issue by modifying the registry myself:

Since all three connection protocols employ the same problematic cipher suite, the first step was to disable this specific cipher suite.

Initially, the "Triple DES 168" option was not present under the Chiphers section, so I added it directly by inserting the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

After applying this modification, there was no need to restart the system. Running another scan revealed the absence of the aforementioned three vulnerabilities.

沒有留言:

張貼留言