.

SSL/TLS vulnerability

<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Sun Aug 26, 2012 4:20 am

SSL/TLS vulnerability

Hi..

Through Nessus scanner i am finding lost of vulnerability related to SSL/TLS

Vul : SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability on w2k3 & 2008 servers as well

I had applied all the mentioned solution from Microsoft of disabling the SSLv2 and TLS 1.but still struggling to fix the same.
Kindly suggest the solutions

Thanks
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Sun Aug 26, 2012 7:59 am

Re: SSL/TLS vulnerability

You should try and located the nessus nassel script that is identifying the issue and understand why its finding it. As it could be finding the issue in certain way and until you understand how its finding the issue you can not fix it.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Aug 26, 2012 9:51 am

Re: SSL/TLS vulnerability

http://blog.zoller.lu/2011/09/beast-sum ... sures.html

It looks like prioritizing non-CBC ciphers (RC4) is the way to address this.

There's some more Microsoft-centric discussion here: http://social.technet.microsoft.com/For ... 4ad46474fd
The day you stop learning is the day you start becoming obsolete.
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Tue Aug 28, 2012 7:11 am

Re: SSL/TLS vulnerability

Hi johnson,
tried the given solution still the vulnerability persist.
Also in tool i find below details of vulnerability

Plugin Output
Negotiated cipher suite: AES128-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES(128)|Mac=SHA1

need help to understand the nessus findings
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Aug 28, 2012 7:32 am

Re: SSL/TLS vulnerability

I'm not really familiar with this issue. It's possible that Nessus requires you to disable the ciphers that use AES. If this is a test system, try it out and see what your findings are.

You may need to decide internally if prioritizing RC4 is sufficient, or if eliminating the Nessus finding takes priority.
The day you stop learning is the day you start becoming obsolete.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software