Today, I have a colleague that asks me about a vulnerability called "TLS/SSL Server Supports The Use of Static Key Ciphers " (ssl-static-key-ciphers).
This vulnerability has CVSS 2.6 (rated by Rapid7). According to Rapid7:
The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.
Here're the questions to me:
- What kind of vulnerability is this?
- Since this vulnerability has low (<4) CVSS rating, can we skip the remediation?
- Why the vulnerability still exist even I have follow the PCI compliance by only allowing TLS 1.1 and TLS 1.2?
My answers:
- To me, this is a kind of mis-configuration, rather than a (missing) patching issue.
- To me, this is not an urgent but it is an important vulnerability. With advanced cracking using GPU, we are not sure if anyone will finally able to crack a session key and lead to full compromise of encrypted channel given some amount of time.
- Yes, even if you have only TLS 1.2 enabled, your system may still vulnerable to static key cipher attack.Referring to the post on Static Key Cipher Vs Perfect Forward Secrecy, by disable all the weak cipher suites (SSLv2/SSLv3/TLS1.0) and only allowing recommended cipher suites (TLS1.1/TLS1.2), does not guarantee forward secrecy is always used.