Two most common cryptography protocols: SSH and TLS/SSL, are commonly mis-configured in many ways.
SSH (22/tcp)
The SSH key exchange algorithm is fundamental to keep the protocol secure. It is what allows two previously unknown parties to generate a shared key in plain sight, and have that secret remain private to the client and server.
Nearly all encryption schemes require parties to have a shared secret. Key Exchange algorithms are what allow two parties to create a shared secret while exchanging information in public sight. Key Exchange algorithms do not actually exchange keys, but rather partial variables that allows both parties to create a shared secret.
Over time, some implementations of this algorithm have been identified as weak or vulnerable.
A weak Key Exchange Algorithms use components with fundamental security flaws. There are only two primary reasons they are be regarded as ‘weak’:
- The algorithm uses SHA1.
- The algorithm uses RSA 1024-bit modulus keys.
When flaws were identified in SHA1, it was believed this could potentially impact SSH security. An attack against the protocol would carry an extreme level of difficulty and would be nearly impossible to conduct in practice.
Despite the unlikeliness of an attack occurring, using encryption algorithms with known weaknesses such as SHA1 will raise a Low Risk issue on a network penetration test.
A list of known weak key exchange algorithms:
- diffie-hellman-group-exchange-sha1
- Diffie-hellman-group1-sha1
- gss-gex-sha1-*
- gss-group1-sha1-*
- rsa1024-sha1
Besides that, there is also issue of SSH weak MAC algorithms. These algorithms exist in the majority of SSH configurations and are generally considered Low Risk.
As with most encryption schemes, SSH MAC algorithms are used to validate data integrity and authenticity. A ‘MAC algorithm’ should not be conflated with a MAC (Message Authentication Code) as these are two distinct components. The MAC algorithm uses a message and private key to generate the fixed length MAC.
A weak MAC algorithm may be considered weak for the following reasons:
- A known weak hashing function is used (MD5)
- The digest length is too small (Less than 128 bits)
- The tag size is too small (Less than 128 bits)
The following are the most common known weak MAC algorithms encountered in SSH:
- hmac-md5
- hmac-md5-96
- hmac-sha1-96
- hmac-sha2-256-96
- hmac-sha2-512-96
TLS/SSL (443/tcp)
3 commonly mis-configured ciphers in TLS/SSL server:
- Information disclosure with predicted IV in CBC
- NULL ciphers supported
- 'Export Ciphers' enabled
SSLv3 and TLS1.0 implementations using Chained-block ciphers (CBC) may be vulnerable to plain-text recovery attacks. When predictable IVs are used in CBC mode, an attacker can leverage this in more advanced attacks as demonstrated in the ‘BEAST’ attack.
There are two ways to remediate this: 1) Disable TLS 1.0 completely to enforce TLS 1.1 and TLS 1.2; 2) Leave TLS 1.0 support enabled, but disable Chained Block Ciphers (CBC).
NULL ciphers offer no true cryptographic data confidentiality. Instead of secure mathematical algorithms to protect data, null ciphers use predefined blocks of data to obfuscate plain-text. No protection is actually provided by null ciphers and should not be used in production environments where confidentiality is required.
Examples of null ciphers:
- TLS_NULL_WITH_NULL_NULL
- TLS_RSA_WITH_NULL_MD5 / NULL-MD5
- TLS_DHE_PSK_WITH_NULL_SHA / DHE-PSK-NULL-SHA
Export ciphers’ are low-grade cryptographic ciphers that were authorized to be used outside the US during the 1990’s. During this time encryption was heavily regulated by the US government as auxiliary military equipment. This allowed intelligence agencies greater ease to eavesdrop on foreign communication channels of interest.
Although export ciphers may be strong enough to secure data from the general public, they include many well known flaws that would allow state-sponsored actors to break the encryption if intercepted. Supporting export ciphers poses an excessive risk to users who may be using older web clients.
Because most SSL/TLS services negotiate ciphers in a top-down fashion, it is rare that clients such as web browsers will negotiate all the way to down to export grade encryption. Despite this, consideration should be given to downgrade attacks where negotiation of export ciphers may be forced by a MITM vector.
Examples of 'export ciphers':
- SSL_RSA_EXPORT_WITH_RC4_40_MD5 / EXP-RC4-MD5
- TLS_RSA_EXPORT_WITH_DES40_CBC_SHA / EXP-DES-CBC-SHA
Links:
- https://www.virtuesecurity.com/kb/ssh-weak-key-exchange-algorithms-enabled/
- https://www.virtuesecurity.com/kb/ssh-weak-mac-algorithms-enabled/
- https://www.virtuesecurity.com/kb/tls-1-0-initialization-vector-implementation-information-disclosure-vulnerability/
- https://www.virtuesecurity.com/kb/null-ciphers-supported/
- https://www.virtuesecurity.com/kb/export-ciphers-enabled/