Monday 3 July 2017

CVE-2016-2183: Disable and stop using DES and 3DES ciphers in tomcat

Title: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
CVEID: CVE-2016-2183

Threat: "Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. 
All versions of SSL/TLS protocol support cipher suites which use DES or 3DES as the symmetric encryption cipher are affected."

Impact: Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.

Solution: "Disable and stop using DES and 3DES ciphers.
The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -cipher ""DES:3DES"" -ssl2
openssl s_client -connect ip:port -cipher ""DES:3DES"" -ssl3
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1_1
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1_2

If any of these tests is successful, then the target is vulnerable to Sweet32."

Fix: In file /etc/tomcat/server.xml remove SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

Post modifying file should look like below

               ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"

No comments:

Post a Comment