HTTPS SSL Certificate Signed using Weak Hashing Algorithm

ramkumar-n · ‎10-19-2011

I am support one client for, whom falls under Security scans mandatory for new implementation of ASA 5520 device . The client uses Nessus Scan and the test results are attached

The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.

Nessus Scanner reports

-----------------------------------

Medium Severity Vulnerability

Port : https (443/tcp)

Issue:

SSL Certificate Signed using Weak Hashing Algorithm

Synopsis :

The SSL certificate has been signed using a weak hash algorithm.

Description :

The remote service uses an SSL certificate that has been signed using

a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These

signature algorithms are known to be vulnerable to collision attacks.

In theory, a determined attacker may be able to leverage this weakness

to generate another certificate with the same digital signature, which

could allow him to masquerade as the affected service.

See also :

http://tools.ietf.org/html/rfc3279

http://www.phreedom.org/research/rogue-ca/

http://www.microsoft.com/technet/security/advisory/961509.mspx

http://www.kb.cert.org/vuls/id/836068

Solution :

Contact the Certificate Authority to have the certificate reissued.

Plugin Output :

Here is the service's SSL certificate :

Subject Name:

Common Name: xxxxxxxxxx

Issuer Name:

Common Name: xxxxxxxxxx

Serial Number: D8 2E 56 4E

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Aug 25 11:15:36 2011 GMT

Not Valid After: Aug 22 11:15:36 2021 GMT

Public Key Info:

Algorithm: RSA Encryption

Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F DF 40

D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC

06 7E D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6

77 56 D7 C3 EE EF 7A 79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5

CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F E2 D1 00 45 E2 A1 C7 9F

57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59 54 0C CB

78 82 FB 50 17 CB 7D CD 15

Exponent: 01 00 01

Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35

2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9

F7 5A 0C E8 4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12

AE 12 18 E8 AB DF B9 02 F7 DA BE 3C 45 02 C4 1E 81 44 C2 74

25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3 05 1A 01 14 88 23

E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65 B5

C5 FC 94 62 59 04 E7 7E FB

CVE :

CVE-2004-2761

BID :

BID 11849

BID 33065

Other References :

OSVDB:45106

OSVDB:45108

OSVDB:45127

CWE:310

Nessus Plugin ID :

35291

VulnDB ID:

69469

and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.

Here is ASA log

7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).

7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5

7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).

7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5

7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5

7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5

7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA

7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5

7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5

7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586

6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586

6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.

6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I

6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)

6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.