Monday 3 July 2017

HTTP TRACE / TRACK Methods Enabled (CVE-2004-2320, CVE-2010-0386, CVE-2003-1567)

Treat: "The remote Web server supports the TRACE and/or TRACK HTTP methods, which makes it easier for remote attackers to steal cookies and authentication credentials or bypass the HttpOnly protection mechanism.
 
Track / Trace are required to be disabled to be PCI compliance."

Impact: If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism.

Solution: Disable these methods in your web server's configuration file.

Fix:  echo TraceEnable off >>/etc/httpd/conf/httpd.conf

Restart apache service

Disable TLSv1.0 and enable TLSv1.2 protocol in apache

Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -tls1

If the test is successful, then the target support TLSv1


[root@test ~]# grep SSLProtocol /etc/httpd/conf.modules.d/ssl.conf
#  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLProtocol TLSv1.2
[root@test ~]#


CVE-2016-2183: Disable and stop using DES and 3DES ciphers in tomcat

Title: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
CVEID: CVE-2016-2183

Threat: "Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. 
All versions of SSL/TLS protocol support cipher suites which use DES or 3DES as the symmetric encryption cipher are affected."

Impact: Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.

Solution: "Disable and stop using DES and 3DES ciphers.
The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -cipher ""DES:3DES"" -ssl2
openssl s_client -connect ip:port -cipher ""DES:3DES"" -ssl3
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1_1
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1_2

If any of these tests is successful, then the target is vulnerable to Sweet32."

Fix: In file /etc/tomcat/server.xml remove SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

Post modifying file should look like below

               ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"

Disable TLSv1 in java

Check which Java is currently running

[root@test ~]# java -version
java version "1.7.0_141"
OpenJDK Runtime Environment (rhel-2.6.10.1.el7_3-x86_64 u141-b02)
OpenJDK 64-Bit Server VM (build 24.141-b02, mixed mode)


Make changes in respective java.security file

Look for jdk.tls.disabledAlgorithms

[root@test ~]# grep TLSv1 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224

Update like below

[root@test ~]# grep TLSv1 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224, TLSv1

Restart respective java service to take effect.


CVE-2016-2183 : Disable and stop using DES and 3DES ciphers in apache

TITLE: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
CVEID: CVE-2016-2183

We need to add DES and 3DES in /etc/httpd/conf.modules.d/ssl.conf file in order to disable it.

Look for SSLCipherSuite line

[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
[root@test ~]#

Modify like below

[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES:!3DES
[root@test ~]#

Restart the required services for the port which u got vulnerability.

The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -cipher "DES:3DES" -ssl2
openssl s_client -connect ip:port -cipher "DES:3DES" -ssl3
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_1
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_2


[root@test ~]# openssl s_client -connect 10.10.10.1:443 -cipher "DES:3DES" -tls1_2
CONNECTED(00000003)
140592171460512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140592171460512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1499085145
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
[root@test ~]#