Sweet 32 Attack - IIS

Updated on:

Overview

Sweet32 affects TLS ciphers, also OpenSSL consider Triple DES cipher is now vulnerable as RC4 cipher . The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.

  Mitigation

 To mitigate, follow one of these steps:

  • Disable any triple-DES cipher on servers that still support it.
  • Upgrade old servers that do not support stronger ciphers than DES or RC4

Solution

  1. Click Start, click Run, type ‘regedit’ in the Open box, and then click OK.
  2. Locate the following security registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  3. Go to the ‘SCHANNEL\Ciphers subkey’, which is used to control the ciphers such as DES and RC4.
  4. SCHANNEL\Ciphers\RC4 : In the Right Empty Space, right click New à DWORD à Enter Enabled as the name and hit Enter value data to 0x0.
  5. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
  6. Now to disable SCHANNEL\Ciphers\Triple DES, right-click on the Triple DES folder and select New and
  7. then click Key. Name the new folder Server.
  8. Inside the Server folder, click the Edit menu, select New, and click DWORD
  9. (32-bit) Value. Enter Enabled as the name and hit Enter.
  10. Ensure that it shows 0x00000000 (0) under the Data column (it should by default).
  11. If it doesn't, right-click and select Modify and enter 0 as the Value data.
  12. Reboot windows server.

More from Middleware Inventory

  • Remote Denial of Service Attack in IIS 6/7

    Overview CVE-2007-2897 Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM…

  • Cross Site Scripting Attack - Apache/IHS

    Overview   Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc. Solution Go to $Web_Server/conf directory Open…

  • Client IP Logging in IIS/Apache - Story of X-Forwarded-For Header

    We all at some point wanted to know who is accessing our web page. Our Source of information is the access log file. Sometimes we do not get what we expect to. In case if we want to know the exact client's IP.  Sometimes All you get is some network/firewall…

  • Oracle Weblogic Basic Authentication

    Overview   Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false. Procedure  To disable Oracle WebLogic Server authentication: In a text editor, open the xmlfile from the domain folder. The config.xml file is in the Oracle/Middleware/user_projects/domains/domain_name/config directory. Locate the <security-configuration> Add the…

  • Webserver Directory traversal

    Webserver Directory traversal Overview File path traversal attack or directory traversal attack in web application is a common security issue.In this a hacker can get access to the files or directories of a webserver through the web url which will lead to major security issues. If you are using Apache…