Qualys has started considering RSA and DHE algorithms with 1024 bits key size as weak (QID 38863). There are a lot of applications which implement their own SSL/TLS libraries. Now, here comes the issue. Windows has its own library for SSL/TLS aka Schannel. When you install a JAVA application on Windows platform, as the application has its own library, making changes at OS level is not enough.
Whenever you find QID 38863 detected on a Windows platform, take the following actions:
- Identify the port on which QID is flagged
- Run the command -> netstat -ano | findStr "2216"
- Check the process ID of the process using that port
- Open task manager and check for the name of the process or run the command -> tasklist /fi "pid eq 2216"
If it is a JAVA application, then you will have to ask the application support team to go through the following links and make necessary changes:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
Similarly for .NET application, https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
Most probably, the application team would not appreciate this as for making any change they will have to take backup, take downtime, perform the change and then ask for a rescan. But as a security analyst you will have to justify as in why disabling weak protocols and cipher suites is important.
For applications which use Windows native SSL/TLS i.e. Schannel, you can make the changes at OS level.
Following are the registry paths which you can refer:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
Following is the wikipedia page for comparison between various TLS implementations:
https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
Please don't try to search for CVE corresponding to QID 38863 as you won't find one.
Happy Learning !!
No comments:
Post a Comment