SSH SSL Issues Reported From Vulnerability Assessment

Reply
Highlighted
L2 Linker

SSH SSL Issues Reported From Vulnerability Assessment

The results of a vulnerability assessment is reporting the following issues with PAN firewall with version 7.1.6.  Is this due to the settings in the decryption profile?  Any direction would be helpful.  Thank you.

 

CVENAMEDESCRIPTIONSOLUTION
 SSL Medium Strength Cipher Suites SupportedThe remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
 SSH Weak MAC Algorithms EnabledThe remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
CVE-2008-5161SSH Server CBC Mode Ciphers EnabledThe SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
 SSH Weak Algorithms SupportedNessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.Contact the vendor or consult product documentation to remove the weak ciphers.
CVE-2016-6329SSL 64-bit Block Size Cipher Suites Supported (SWEET32)The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.

Proof-of-concepts have shown that attackers can recover authentication cookies from an HTTPS session in as little as 30 hours.

Note that the ability to send a large number of requests over the same TLS connection between the client and server is an important requirement for carrying out this attack. If the number of requests allowed for a single connection were limited, this would mitigate the vulnerability. However, Nessus has not checked for such a mitigation.
Reconfigure the affected application, if possible, to avoid use of all 64-bit block ciphers. Alternatively, place limitations on the number of requests that are allowed to be processed over the same TLS connection to mitigate this vulnerability.
Community Team Member

Re: SSH SSL Issues Reported From Vulnerability Assessment

@almay, we recommend that you contact support and open up a case with them so they can address each one of these security concerns.

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!