Insecure Transportation Security Protocol Supported (SSLv2)
Severity: High
Summary #
Netsparker detected that insecure transportation security protocol (SSLv2) is supported by your web server.
SSLv2 has several flaws. For example, your secure traffic can be observed when you have established it over SSLv2.
Impact #
Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors. Also an attacker can exploit vulnerabilities like DROWN.
Actions To Take #
We recommended to disable SSLv2 and replace it with TLS 1.2 or higher. See Remedy section for more details.
Remediation #
Configure your web server to disallow using weak ciphers.
- For Apache, you should modify the SSLProtocol directive in the
httpd.conf.SSLProtocol +TLSv1.2
- For Nginx, locate any use of the directive ssl_protocols in the
nginx.conffile and removeSSLv3.ssl_protocols TLSv1.2;
- For Microsoft IIS, you should make some changes on the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2\
- Locate a key named "Server." If it doesn't exist, create it.
- Under the "Server" key, locate a DWORD value named "Enabled." If it doesn't exist, create it and set it to "0".
- For lighttpd, put the following lines in your configuration file:
ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable"
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3") # v1.4.48 or up ssl.ec-curve = "secp384r1"
Classifications #
PCI v3.2-, CAPEC-217, CWE-326, HIPAA-326, ISO27001-A.14.1.3, WASC-4, OWASP 2013-A6, OWASP 2017-A3
, CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Netsparker Security Insights #
- The Heartbleed Bug: How a Forgotten Bounds Check Broke the Internet
- Exposing the Public IPs of Tor Services Through SSL Certificates
- Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation
- Netsparker's Weekly Security Roundup 2018 – Week 02
- Netsparker Enterprise Updated with New Security Checks and Several Other Service Improvements
Helpful Use Cases #
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
