0

Nexpose reports the following vulnerability:

TLS/SSL Server Supports The Use of Static Key Ciphers. Negotiated with the following insecure cipher suites:

TLS 1.2 ciphers: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384

But the Get-TlsCipherSuite command outputs only these ciphers are present in the machine:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

How can I get rid of the vulnerability?

Improve this question
2
  • 1
    Mark it as a false positive? If you are sure that TLS_RSA_WITH_AES_256_GCM_SHA384 isn't the same as TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Commented May 7, 2024 at 10:30
  • 1
    You should consider that the application can present protocols and ciphers that are different than what the operating system is configured for. This is particularly true for older applications before alignment with the os platform cryptography settings. (E g. .NET) Commented May 8, 2024 at 20:29

1 Answer 1

Reset to default
2

The Get-TlsCipherSuite command only lists the cipher suites which are enabled in the Schannel library. If the offending service uses a third-party TLS library like OpenSSL, disabling ciphers in Schannel doesn't help.

So the first step would be to identify the exact service which the finding refers to. Then you need to configure this service to exclude the static-key ciphers. How that works depends on the software -- for example, Apache and nginx (if this is about web servers) have different configuration formats. You can check if the change took effect with tools like the ssl-enum-ciphers script for nmap.

Of course the finding could also be a false positive, but I would double-check this. If find it hard to believe that the Nexpose scanner “hallucinates” cipher suites which the server doesn't support. Based on the message, it sounds like the scanner was actually able to negotiate the suites.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.