Weak DH Key Exchange Supported (PCI DSS)

2018-01-2900:00:00

www.tenable.com

1612

At least one of the services on the remote host supports a Diffie-Hellman key exchange using a public modulus smaller than 2048 bits.

Diffie-Hellman key exchanges with keys smaller than 2048 bits do not meet the PCI definition of strong cryptography as specified by NIST Special Publication 800-57 Part 1.

Diffie-Hellman moduli of up to 1024 bits are considered practically breakable by an attacker with very significant resources.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(106459);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");

  script_cve_id("CVE-2015-4000");
  script_bugtraq_id(74733);
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");

  script_name(english:"Weak DH Key Exchange Supported (PCI DSS)");

  script_set_attribute(attribute:"synopsis", value:
"A service on the remote host supports a weak key exchange mechanism");
  script_set_attribute(attribute:"description", value:
"At least one of the services on the remote host supports a
Diffie-Hellman key exchange using a public modulus smaller than 2048
bits.

Diffie-Hellman key exchanges with keys smaller than 2048 bits do not
meet the PCI definition of strong cryptography as specified by
NIST Special Publication 800-57 Part 1.

Diffie-Hellman moduli of up to 1024 bits are considered practically
breakable by an attacker with very significant resources.");
  script_set_attribute(attribute:"see_also", value:"https://weakdh.org/");
  script_set_attribute(attribute:"solution", value:
"Consult the software's manual and reconfigure the service to use at
least 2048-bit DH parameters. Alternatively, disable DH and use only
Elliptic-curve Diffie-Hellman (ECDH) instead.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4000");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssl_logjam.nasl", "ssh_logjam.nasl");
  script_require_keys("Settings/PCI_DSS");
  script_exclude_keys("Settings/PCI_DSS_local_checks");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (!get_kb_item("Settings/PCI_DSS"))
  audit(AUDIT_PCI);

if (get_kb_item("Settings/PCI_DSS_local_checks"))
  exit(1, "This plugin only runs for PCI External scans.");

ssl_ports = get_kb_list("PCI/weak_dh_ssl");
ssh_ports = get_kb_list("PCI/weak_dh_ssh");

if (isnull(ssl_ports) && isnull(ssh_ports))
  exit(0, "No affected SSH or SSL services were detected.");

if (isnull(ssl_ports))
  ssl_ports = [];
if (isnull(ssh_ports))
  ssh_ports = [];

foreach port (list_uniq(ssl_ports))
{
  length = get_kb_item("PCI/weak_dh_ssl/modlen/" + port);
  if (length >= 2048)
    continue;
  security_report_v4(
    severity:SECURITY_WARNING,
    port:port,
    extra:"The SSL/TLS service on port " + port + " uses a " + length + "-bit DH modulus."
  );
}

# ssh_logjam.nasl does not check for moduli smaller than 2048 bits,
# rather it checks that a 1024-bit modulus is supported.
# Operators *could* create a weird, barely-big-enough modulus like
# 1028-bit and this check wouldn't flag them.
foreach port (ssh_ports)
{
  supported = get_kb_item("PCI/weak_dh_ssh/moduli/" + port);
  # A little confusing; ssh_logjam.nasl sets a KB for either "group1",
  # "gex1024", or "both" if both gex1024 and group1 are supported.
  report = 'The SSH service on port ' + port + ' supports a weak DH modulus :\n';
  if (supported == "group1" || supported == "both")
    # It's called Oakley Group 2, but SSH protocol calls it group1. See RFC 4253 8.1.
    report += '  - The very common 1024-bit Oakley Group 2 DH modulus\n';
  if (supported == "gex1024" || supported == "both")
    report += '  - DH group exchange is enabled and 1024-bit parameters are allowed\n';

  security_report_v4(
    severity:SECURITY_WARNING,
    port:port,
    extra:report
  );
}