PCI compliance scanning reports DES ciphers enabled even after using pci_compliance_resolver utility

Created:

2017-07-25 09:57:04 UTC

Modified:

2017-08-16 15:46:15 UTC

0

Was this article helpful?


Have more questions?

Submit a request

PCI compliance scanning reports DES ciphers enabled even after using pci_compliance_resolver utility

Applicable to:

  • Plesk Onyx for Linux

Symptoms

PCI compliance scanner reports about DES ciphers enabled even after pci_compliance_resolver utility was run to enable PCI compliance mode.

Trustwave scanning reports the following:

Description
This is a cipher vulnerability, not limited to any specific SSL/TLS software
implementation. DES and Tripple DES (3DES) block ciphers with a block size
of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to
the power of 32, hence the name of this vulnerability). A man-in-the-middle
(MitM) attacker, who is able to capture a large amount of encrypted network
traffic, can recover sensitive plain text data.

NOTE: Cipher block size must not be confused with key length. DES / 3DES
ciphers are vulnerable because they always operate on 64 bit blocks
regardless of the key length. If this vulnerability is detected, and in the
list of detected ciphers you see only entries with numbers different than 64
(eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid,
because '112 bits' is the key length.

Remediation
This issue can by avoided by disabling block ciphers of 64 bit block length
(like DES/3DES) in all the SSL/TLS servers. Exact procedure depends on the
actual implementation. Please refer to the documentation of your SSL/TLS
server software and actual service software (http server, mail server, etc).

On CentOS, rpm utility shows that the DES issue was fixed in the installed package:

# rpm -q --changelog openssl | grep CVE-2016-2183
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to 

Cause

The corresponding vulnerability CVE-2016-2183 was fixed in the year 2016 in the following packages:

For CentOS/RedHat :

openssl-1.0.1e-48

For Debian :

openssl-1.0.1t-1+deb8u4

For Ubuntu 14.04 :

openssl-1.0.1f-1ubuntu2.20

For Ubuntu 16.04 :

openssl-1.0.2g-1ubuntu4.4

Resolution

Contact Trustwave support regarding the probable false positive.

Have more questions? Submit a request
Please sign in to leave a comment.