1. 漏洞报告
image.png2. 漏洞介绍
远程服务接受使用SSL 2.0和/或SSL 3.0加密的连接。这些版本的SSL受一些加密漏洞的影响,其中包括:
- 具有CBC密码的不安全填充方案。
- 不安全的会话重新协商和恢复方案。
- 攻击者可以利用这些漏洞进行中间人攻击或解密受影响的服务与客户端之间的通信。
尽管SSL / TLS具有选择协议最高支持版本的安全方法(因此只有在客户端或服务器没有更好支持的情况下才使用这些版本),但是许多Web浏览器均以不安全的方式实施此操作,从而使攻击者能够降级连接(例如在POODLE中)。因此,建议完全禁用这些协议。
3. 漏洞危害
3.1 SSL3漏洞
2014年10月14号由Google发现的POODLE漏洞,全称是Padding Oracle On Downloaded Legacy Encryption vulnerability,又被称为“贵宾犬攻击”(CVE-2014-3566),POODLE漏洞只对CBC模式的明文进行了身份验证,但是没有对填充字节进行完整性验证,攻击者窃取采用SSL3.0版加密通信过程中的内容,对填充字节修改并且利用预置填充来恢复加密内容,以达到攻击目的。
3.2 SSL2漏洞
2016年3月发现的针对TLS的新漏洞攻击——DROWN(Decrypting RSA with Obsolete and Weakened eNcryption,CVE-2016-0800),也即利用过时的、弱化的一种RSA加密算法来解密破解TLS协议中被该算法加密的会话密钥。 具体说来,DROWN漏洞可以利用过时的SSLv2协议来解密与之共享相同RSA私钥的TLS协议所保护的流量。 DROWN攻击依赖于SSLv2协议的设计缺陷以及知名的Bleichenbacher攻击。
3.3 # 常见的几种SSL/TLS漏洞及攻击方式
4. 漏洞检测
4.1 Nmap检测
C:\Users\KonLaLe>nmap --script="ssl-enum-ciphers" -sS -Pn -p 443 192.168.56.129
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-03 07:15 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.56.129
Host is up (0.00013s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - E
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 1024) - D
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - E
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - E
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - E
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher DES vulnerable to SWEET32 attack
| 64-bit block cipher DES40 vulnerable to SWEET32 attack
| 64-bit block cipher RC2 vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - E
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 1024) - D
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - E
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - E
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - E
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher DES vulnerable to SWEET32 attack
| 64-bit block cipher DES40 vulnerable to SWEET32 attack
| 64-bit block cipher RC2 vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
|_ least strength: E
MAC Address: 00:0C:29:3E:BA:70 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.86 seconds
4.2 SSLSCAN工具检测
root@kali:~# sslscan 192.168.56.129
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Connected to 192.168.56.129
Testing SSL server 192.168.56.129 on port 443 using SNI name 192.168.56.129
TLS Fallback SCSV:
Server only supports TLSv1.0
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits RC4-SHA
Accepted TLSv1.0 128 bits RC4-MD5
Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.0 56 bits EDH-RSA-DES-CBC-SHA DHE 1024 bits
Accepted TLSv1.0 56 bits DES-CBC-SHA
Accepted TLSv1.0 40 bits EXP-EDH-RSA-DES-CBC-SHA DHE 512 bits
Accepted TLSv1.0 40 bits EXP-DES-CBC-SHA RSA 512 bits
Accepted TLSv1.0 40 bits EXP-RC2-CBC-MD5 RSA 512 bits
Accepted TLSv1.0 40 bits EXP-RC4-MD5 RSA 512 bits
Preferred SSLv3 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted SSLv3 112 bits DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA DHE 1024 bits
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA DHE 512 bits
Accepted SSLv3 40 bits EXP-DES-CBC-SHA RSA 512 bits
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5 RSA 512 bits
Accepted SSLv3 40 bits EXP-RC4-MD5 RSA 512 bits
Preferred SSLv2 128 bits RC2-CBC-MD5
Accepted SSLv2 128 bits RC4-MD5
Accepted SSLv2 112 bits DES-CBC3-MD5
Accepted SSLv2 56 bits DES-CBC-MD5
Accepted SSLv2 40 bits EXP-RC2-CBC-MD5
Accepted SSLv2 40 bits EXP-RC4-MD5
SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 1024
Subject: bee-box.bwapp.local
Issuer: bee-box.bwapp.local
Not valid before: Apr 14 18:11:32 2013 GMT
Not valid after: Apr 13 18:11:32 2018 GMT
4.3 testssl工具检测
root@kali:~/testssl.sh# ./testssl.sh 192.168.56.129
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
Start 2019-10-03 07:19:58 -->> 192.168.56.129:443 (192.168.56.129) <<--
rDNS (192.168.56.129): --
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 offered (NOT ok), also VULNERABLE to DROWN attack -- 6 ciphers
SSLv3 offered (NOT ok)
TLS 1 offered (deprecated)
TLS 1.1 not offered
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) VULNERABLE (NOT ok)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), session IDs were returned but potential memory fragments do not differ
ROBOT not vulnerable (OK)
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported and vulnerable to POODLE SSL
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers for SSLv2 and above
FREAK (CVE-2015-0204) VULNERABLE (NOT ok), uses EXPORT RSA ciphers
DROWN (CVE-2016-0800, CVE-2016-0703) VULNERABLE (NOT ok), SSLv2 offered with 6 ciphers
LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): uses DH EXPORT ciphers
VULNERABLE (NOT ok): common prime: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus (1024 bits)
BEAST (CVE-2011-3389) SSL3: DHE-RSA-AES256-SHA AES256-SHA
DHE-RSA-AES128-SHA AES128-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
TLS1: DHE-RSA-AES256-SHA AES256-SHA
DHE-RSA-AES128-SHA AES128-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
VULNERABLE -- and no higher protocols as mitigation supported
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5
RC4-MD5
EXP-RC4-MD5
EXP-RC4-MD5
5. 漏洞修复
禁用SSL2和SSL3协议。
5.1 Apache禁用SSL2和SSL3协议
1.修改配置文件/etc/apache2/mods-availabl/ssl.conf把SSLProtocol一行改成如下:
SSLProtocol all -SSLv2 -SSLv3
- 重新启动apache服务/etc/init.d/apache2 restart,然后复测。
C:\Users\KonLaLe>nmap --script="ssl-enum-ciphers" -sS -Pn -p 443 192.168.56.129
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-03 08:02 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.56.129
Host is up (0.0018s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - E
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 1024) - D
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - E
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - E
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - E
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher DES vulnerable to SWEET32 attack
| 64-bit block cipher DES40 vulnerable to SWEET32 attack
| 64-bit block cipher RC2 vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
|_ least strength: E
MAC Address: 00:0C:29:3E:BA:70 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
网友评论