SSL/TLS: Report 'Anonymous' Cipher Suites

2017-04-2000:00:00

plugins.openvas.org

665

5.4 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:M/Au:N/C:P/I:P/A:P

6.3 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.2%

JSON

This routine reports all

# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.108147");
  script_version("2024-06-14T05:05:48+0000");
  script_cve_id("CVE-2007-1858", "CVE-2014-0351");
  script_tag(name:"cvss_base", value:"5.4");
  script_tag(name:"cvss_base_vector", value:"AV:A/AC:M/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2024-06-14 05:05:48 +0000 (Fri, 14 Jun 2024)");
  script_tag(name:"creation_date", value:"2017-04-20 06:08:04 +0200 (Thu, 20 Apr 2017)");
  script_name("SSL/TLS: Report 'Anonymous' Cipher Suites");
  script_category(ACT_GATHER_INFO);
  script_family("SSL and TLS");
  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_dependencies("secpod_ssl_ciphers.nasl");
  script_mandatory_keys("secpod_ssl_ciphers/anon_ciphers", "ssl_tls/port");

  script_xref(name:"URL", value:"https://bettercrypto.org/");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/28482");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/69754");
  script_xref(name:"URL", value:"https://mozilla.github.io/server-side-tls/ssl-config-generator/");

  script_tag(name:"summary", value:"This routine reports all 'Anonymous' SSL/TLS cipher suites
  accepted by a service.");

  script_tag(name:"insight", value:"Services supporting 'Anonymous' cipher suites could allow a
  client to negotiate an SSL/TLS connection to the host without any authentication of the remote
  endpoint.");

  script_tag(name:"impact", value:"This could allow remote attackers to obtain sensitive
  information or have other, unspecified impacts.");

  script_tag(name:"solution", value:"The configuration of this services should be changed so
  that it does not accept the listed 'Anonymous' cipher suites anymore.

  Please see the references for more resources supporting you in this task.");

  script_tag(name:"solution_type", value:"Mitigation");
  script_tag(name:"qod_type", value:"remote_app");

  exit(0);
}

include("ssl_funcs.inc");
include("gb_print_ciphers.inc");
include("host_details.inc");

if( ! port = tls_ssl_get_port() )
  exit( 0 );

# Don't report for StartTLS services. A MitM attacker might be already in the position to
# intercept the initial request for StartTLS and force a fallback to plaintext. This avoids
# also that we're reporting this cipher suites on 'Opportunistic TLS' services like SMTP.
if( get_kb_item( "starttls_typ/" + port ) )
  exit( 0 );

report = print_cipherlists( port:port, strengths:"anon" );

if( report ) {

  # nb:
  # - Store the reference from this one to gb_ssl_ciphers_report.nasl to show a cross-reference within the
  #   reports
  # - We don't want to use get_app_* functions as we're only interested in the cross-reference here
  register_host_detail( name:"detected_by", value:"1.3.6.1.4.1.25623.1.0.802067" ); # gb_ssl_ciphers_report.nasl
  register_host_detail( name:"detected_at", value:port + "/tcp" );

  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );