收到漏扫报告↓↓↓↓↓↓↓

漏洞名称

SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】

详细描述

TLS是安全传输层协议，用于在两个通信应用程序之间提供保密性和数据完整性。 TLS, SSH, IPSec协商及其他产品中使用的DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界，这可使远程攻击者通过Sweet32攻击，获取纯文本数据。

解决办法

建议：避免使用DES和3DES算法 1、OpenSSL Security Advisory [22 Sep 2016] 链接：https://www.openssl.org/news/secadv/20160922.txt 请在下列网页下载最新版本：   https://www.openssl.org/source/ 2、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法 主要是修改conf文件 3、Windows系统可以参考如下链接： https://social.technet.microsoft.com/Forums/en-US/31b3ba6f-d0e6-417a-b6f1-d0103f054f8d/ssl-medium-strength-cipher-suites-supported-sweet32cve20162183?forum=ws2016 https://docs.microsoft.com/zh-cn/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

威胁分值

7.5

危险插件

否

发现日期

2016-08-31

CVE编号

CVE-2016-2183

BUGTRAQ

92630

NSFOCUS

34880

CNNVD编号

CNNVD-201608-448

CNCVE编号

CNCVE-20162183

CVSS评分

5.0

CNVD编号

CNVD-2016-06765

操作如下：

本机扫描

 [root@zhtzdb-10 ~]# nmap -sV -p 443 --script ssl-enum-ciphers 10.2.10.2

Starting Nmap 6.40 ( http://nmap.org ) at 2022-07-05 10:36 CST Nmap scan report for 10.2.10.2 Host is up (0.00011s latency). PORT    STATE SERVICE VERSION 443/tcp open  http    nginx | ssl-enum-ciphers:  |   SSLv3: No supported ciphers found |   TLSv1.0:  |     ciphers:  |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong |     compressors:  |       NULL |   TLSv1.1:  |     ciphers:  |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong |     compressors:  |       NULL |   TLSv1.2:  |     ciphers:  |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong |       TLS_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong |       TLS_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong |     compressors:  |       NULL |_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.34 seconds

 编辑nginx.conf文件，修改ssl_ciphers后面的参数，如下↓

        server {                 listen 443 ssl;                 server_name  www.cookie.com;                                  ssl_certificate      cert/2022_www.cookie.com.pem;                 ssl_certificate_key  cert/2022_www.cookie.com.key;                 ssl_session_timeout 5m;                 #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;                 ssl_ciphers HIGH:!ADH:!MD5;                 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;                 ssl_prefer_server_ciphers on;

 保存退出，重启nginx服务。

重新执行nmap命令

[root@zhtzdb-10 ~]# nmap -sV -p 443 --script ssl-enum-ciphers 10.2.10.2

Starting Nmap 6.40 ( http://nmap.org ) at 2022-07-05 10:48 CST Nmap scan report for 10.2.10.2 Host is up (0.00010s latency). PORT    STATE SERVICE VERSION 443/tcp open  http    nginx | ssl-enum-ciphers:  |   SSLv3: No supported ciphers found |   TLSv1.0:  |     ciphers:  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken |       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken |       TLS_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong |     compressors:  |       NULL |   TLSv1.1:  |     ciphers:  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken |       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken |       TLS_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong |     compressors:  |       NULL |   TLSv1.2:  |     ciphers:  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong |       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken |       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken |       TLS_RSA_WITH_AES_128_CBC_SHA - strong |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong |       TLS_RSA_WITH_AES_256_CBC_SHA - strong |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong |     compressors:  |       NULL |_  least strength: broken

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.35 seconds