Some SSL issues discovered (for example by Nessus 4 here):
1.The certificate (of course not the default), does not contain a FQDN required for checking. The hostname is caonfigureble - but a domain can't be configured on the RV012. Remediation would be a much better certificate handling, plus the ability to configure a domain in addition ot a hostname.this must be combined to the CN in the self-signed certificate instead of hte first MAC address.
2. Weak ciphers offered by the Web server must be removed.
3. Medium cipher should be removed from the Web server.
SSL Certificate with Wrong Hostname |
Synopsis:
The SSL certificate for this service is for a different host.
Description:
The commonName (CN) of the SSL certificate presented on this port is for a different machine.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
Solution:
Purchase or generate a proper certificate for this service.
Plugin output:
The following hostnames were checked : 54:75:d0:f7:fc:9c
Plugin ID:
45411
|
SSL Anonymous Cipher Suites Supported |
Synopsis:
The remote service supports the use of anonymous SSL ciphers.
Description:
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
See also:
http://www.openssl.org/docs/apps/ciphers.html
Solution:
Reconfigure the affected application if possible to avoid use of weak ciphers.
Plugin output:
The remote server supports the following anonymous SSL ciphers : ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES(56) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES(56) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Plugin ID:
31705
|
SSL Medium Strength Cipher Suites Supported |
Synopsis:
The remote service supports the use of medium strength SSL ciphers.
Description:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Plugin output:
Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Plugin ID:
|
