SSL Allows the use of Weak Ciphers.

  • Document ID:7004507
  • Creation Date:23-Sep-2009
  • Modified Date:16-Jul-2019
    • Micro Focus Products:
      eDirectory
      NetWare
      Open Enterprise Server

Environment

Novell Open Enterprise Server (OES)
Novell NetWare 6.5

Situation

SSL Allows the use of Weak Ciphers.
SSL Server Allows Cleartext Communication Vulnerability port 443/tcp over SSL
SSL Server Supports Weak Encryption Vulnerability port 443/tcp over SSL
SSL Server May Be Forced to Use Weak Encryption Vulnerability port 443/tcp over SSL
The Secure Sockets Layer (SSL) protocol allows for secure communication between a client and a server.
The client-server communication is generally encrypted using a symmetric cipher such as RC2, RC4, DES or 3DES.

Some implementations of SSL allow for weak cipher communication.

Technically it is encryption but with a NULL key, so the various checks go through the exact same code path as the standard higher encryption ciphers.
When the SSL session starts, the client (in most cases, a browser) sends the list of ciphers and compression algorithms.
This list, by default, does not send any NULL encryption ciphers.
However some browsers will allow you to configure it to send NULL encryption ciphers by default.

NOTE:

Some ways to verify if a port is allowing weak ciphers.  This is useful if detection software shows a fault positive.

openssl s_client -connect <ipaddress:port> -ssl2 -state
EX:  openssl s_client -connect 192.168.1.100:443 -ssl2 -state

openssl s_client -connect <ipaddress:port> -cipher LOW -state
EX: openssl s_client -connect 192.168.1.100:443 -cipher LOW -state

Resolution

NILE.NLM has been modified so that strong ciphers are preferred over weak ciphers by default during SSL handshakes.

The updated version of NILE.NLM is available for download in NILE65SP5A.EXE.


Additional Information

Each of the vulnerabilities and their associated CVE numbers are listed below:

CVE- 2006- 0997 - SSL Server Allows Cleartext Communication Vulnerability port 443/tcp over SSL
CVE- 2006- 0998 - SSL Server Supports Weak Encryption Vulnerability port 443/tcp over SSL
CVE- 2006- 0999 - SSL Server May Be Forced to Use Weak Encryption Vulnerability port 443/tcp over SSL
In order to revert back to allowing weak ciphers it is necessary to modify the SYS:\ETC\NILE.CFG and enter the following:
[WeakCrypto]
Enabled=Y|N

NOTE: After modifying the settings in the SYS:\ETC\NILE.CFG file it is necessary to restart the server to have the changes take effect.
SSL Digger by Foundstone was used to test this vulnerability.
For more information go to www.foundstone.com
Formerly known as TID# 10100633