Security Metrics PCI Compliance Fix: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Security Metrics recently tweaked their scan settings in 2017.  Recently this came up as a problem.

Problem: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
The remote service supports the use of 64-bit block ciphers.

Background:

  • https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/
  • https://testssl.sh/openssl-rfc.mappping.html

First off, run the following command on your server
nmap --script ssl-enum-ciphers -p 443 SERVER_IP

It will return a list of ciphers, look to see if you have this in the list

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong

If you are running Apache, open your vhost file where you have your SSLCipherSuite defined.  Remove the line

DES-CBC3-SHA

And restart your apahce server
Run the command
nmap --script ssl-enum-ciphers -p 443 SERVER_IP

And ensure you don’t see this line
TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

Rerun your security metrics scan and you should be okay.

Security Metrics PCI Compliance Changes and Fixes

Back in 2015, I did a Security Metrics scan on my site for PCI compliance, and noticed I had 3 new failures when they rescanned my site in early 2016.  What I suspect is that these tests were added:

Problem 1: TLS Version 1.0 Protocol Detection (PCI DSS)

Capture

Explanation:
Security Metrics is basically saying that having TLS Version 1.0 is a security vulnerability.

The remote service encrypts traffic using a protocol with known weaknesses.  The remote service accepts connections encrypted using TLS 1.0.

Fix:
If you are running apache, you might have a configuration parameter like this.
SSLProtocol all -SSLv2 -SSLv3

If you take a look at the docs here
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

It says that ‘all’ is a shortcut for “+SSLv2 +SSLv3 +TLSv1” or – when using OpenSSL 1.0.1 and later – “+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2”, respectively.

Change your apache config to
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Restart your server and run
sudo service apache2 reload
https://www.ssllabs.com/ssltest/

Verify TLS 1.0 says ‘no’ and you are good to go
Capture

Problem 2: SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)Rest

Capture

Overview:
Security Metrics is saying here that your server connection is accepting SSH connections with a diffie-hellman group 1 of 1024 bits.

The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits

Fix:
First run this command on your server to verify the problem

nmap –Pn [domain/ip] –p [port] –script ssh2-enum-algos

 ssh2-enum-algos:
|   kex_algorithms (8)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1

Note here that the server is returning

  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1

You can read these two links for more info
https://stribika.github.io/2015/01/04/secure-secure-shell.html

To fix it go into
/etc/ssh/sshd_config

Add

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

and run sudo restart ssh

Outside the box rerun the command and note that the kex algorithms are returning a smaller set.

 

nmap –Pn [domain/ip] –p [port] --script ssh2-enum-algos
| kex_algorithms (2)
| curve25519-sha256@libssh.org
| diffie-hellman-group-exchange-sha256

Problem 3: Web Application Potentially Vulnerable to Clickjacking

Synopsis:
The remote web server may fail to mitigate a class of web application vulnerabilities.

Impact:
The remote web server does not set an X-Frame-Options response header in all content responses

Fix:
The fix for this is pretty easy as specified by https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/

In apache put in apache2.conf

Header append X-FRAME-OPTIONS "SAMEORIGIN"

restart your server, and verify by going to
http://web-sniffer.net/

Ensure X-Frame-Options gets returned
Capture

Rescan your site and you should be good to go for security metrics pci compliance!