TLS/SSL RC4, TLS V1.0, Sweet32 Vulnerabilities

Hi Team,

Please can you create fixlets to remediate below vulnerabilities as per Qualys report,

Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

Refer to Qualys id - 38657
CVE-2016-2183
Disable and stop using DES, 3DES, IDEA or RC2 ciphers.
More information can be found at Microsoft Windows TLS changes docs (https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server).

SSL/TLS Server supports TLSv1.0

Refer to Qualys id - 38628
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -tls1
If the test is successful, then the target support TLSv1

SSL/TLS use of weak RC4(Arcfour) cipher

Refer to Qyalys id 38601,
CVE-2013-2566, CVE-2015-2808
RC4 should not be used where possible. One reason that RC4(Arcfour) was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, TLSv 1.2 or later address these issues.

QID 38657: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

RELEVANCE:
1.exists operating system whose(name of it starts with "Win")
2.(NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" of registry) OR (NOT exist value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" of native registry) OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" of native registry as string != "0")

ACTION:

action uses wow64 redirection false

delete __appendfile
delete customedit.reg

appendfile Windows Registry Editor Version 5.00
appendfile
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
appendfile "Enabled"=dword:00000000
move __appendfile customedit.reg

waithidden regedit /s "customedit.reg"
action requires restart

QID 38628: SSL/TLS Server supports TLSv1.0

RELEVANCE:

1. exists operating system whose(name of it starts with "Win")
2. (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" of registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" of native registry) OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" of native registry as string != "0")

ACTION:

action uses wow64 redirection false

delete __appendfile
delete customedit.reg

appendfile Windows Registry Editor Version 5.00
appendfile
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
appendfile "Enabled"=dword:00000000

move __appendfile customedit.reg

waithidden regedit /s "customedit.reg"

waithidden net stop TermService /y
waithidden net start TermService /y

QID 38601: SSL/TLS use of weak RC4 cipher

RELEVANCE:

1. exists operating system whose(name of it starts with "Win")
   2.(NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" of registry) OR (NOT exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" of registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" of native registry) OR (NOT exists value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" of native registry) OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" of native registry as string != "0") OR (value "Enabled" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" of native registry as string != "0")

ACTION:

action uses wow64 redirection false

delete __appendfile
delete customedit.reg

appendfile Windows Registry Editor Version 5.00
appendfile
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
appendfile "Enabled"=dword:00000000
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
appendfile "Enabled"=dword:00000000

move __appendfile customedit.reg

waithidden regedit /s "customedit.reg"
action requires restart

I am looking to perform checks then changes to any server that has the registry values incorrect or enabled by default. I tried using the “Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)” script but receive an relevance syntax error Line 1. I also receive errors on the second “Action”. I don’t know the action script language well enough to figure it oue.

Thank for any help

Make sure you have changed all the ‘Smart’ quotes to the dim but useful variety

Sorry Trn for the ignorance, but I understand smart quotes ’ ’ but do not know what you mean when you say dim quotes. If they are " " at this point so if I read this wright " " should be changed to something else. I have tried ’ '. moving around () etc… But obviously I don’t understand.

Thank

Smart quotes are not smart - dim is just a tongue in cheek comment

image992×305 14.3 KB

An example of a Smart quote is circled in red
The proper quote, that works in a script, is circled in green

I edited the post from @baynes74 above to add code tags, copy/paste from that should work better now in terms of proper quoting.

(I have not checked into the content itself for correctness)