SUMMARY OF REPORT

On June 3rd, 2021, two security vulnerabilities were identified by a customer:

 

IDIdentified Vulnerability
VUL-01Support for SSL 64-bit block encryption (SWEET32)
VUL-02TLS Version 1.0 Protocol Discovery


FINDINGS

The below resources fall into the scope of impact and can be affected due to security vulnerabilities.

  • Production nodes in US region were vulnerable to the vulnerabilities identified.
  • Recommended actions had no operational impact on any server.
  • Disabling the support for weaker algorithms and protocols would eliminate the support for SSL 64-bit block encryption (SWEET32) and TLS v1.0 discovery vulnerabilities.


USED TOOLS

For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:

 

ToolDescription
NMAPIt is a free, open source tool for vulnerability scanning and network detection.


LINE OF ACTION AND ASSOCIATED TIMELINES

The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.

 

ID
Identified Vulnerability
Identification Date
Incident Resolution
Start Date
End Date
VUL-01
Support for SSL 64-bit block encryption (SWEET32)
June 03 2021
June 05 2021
June 20 2021
VUL-02
TLS Version 1.0 Protocol Discovery
June 03 2021
June 05 2021
June 20 2021



REMEDIATION PROCEDURE

Below is the detail about actions performed to remove security vulnerabilities.

 

Vulnerability Identification
VUL-01 - Support for SSL 64-bit block encryption (SWEET32)
Description of Vulnerability
The service supports the use of 64-bit block ciphers.
Remediation Action
Reconfigured the affected nodes to disable support for outdated 64-bit block ciphers.

Reference: https://docs.microsoft.com/en-us/answers/questions/348323/how-to-disable-3des-and-rc4-on-windows-server-2019.html


 

Vulnerability Identification
VUL-02 - TLS Version 1.0 Protocol Discovery
Description of Vulnerability
The remote service has an older version of TLS enabled.
Remediation Action
Enabled TLS 1.2 and disabled support for TLS 1.0 protocol.

Reference: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings



DETAIL OF VULNERABILITIES

This section provides complete detail of vulnerabilities identified during the assessment procedure.


Vulnerability ID: VUL-01

Support for SSL 64-bit block encryption (SWEET32).

Description of Vulnerability

The service supports the use of 64-bit block ciphers.

Organizational Risk

The remote host supports the use of block cipher with 64-bit blocks in one or more cipher suites. Therefore, it is affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. An intermediary attacker with sufficient resources can exploit this vulnerability, through an attack called 'birthday attack '.


Vulnerability ID: VUL-02

TLS Version 1.0 Protocol Discovery.

Description of Vulnerability

The remote service has an older version of TLS enabled.

Organizational Risk

The remote service accepts encrypted connections using TLS 1.0. TLS 1.0 has several design flaws cryptographic. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS such as 1.2 and 1.3 are designed against these flaws and should be used whenever possible.