Sweet 32 Attack - IHS

Updated on:

Overview

 

Sweet32 affects TLS ciphers, also OpenSSL consider Triple DES cipher is now vulnerable as RC4 cipher . The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.

           Disabling 3DES cipher in Apache is too easy, just follow the below steps to implement.

 Mitigation

Review your IBM HTTP Server configuration files (httpd.conf) to determine if the default TLS cipher lists are being used.
• For each SSLEnable directive, if there is no SSLCipherSpec in the same context, no action is required for Step 1 (3DES is not preferred by default and is not included in the defaults after the fixpacks containing PI84868)
• If SSLCipherSpec is present, but not with a parameter of '3A', 'C008', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', or 'SSL_RSA_WITH_3DES_EDE_CBC_SHA', no action is required for Step 1 (3DES is not preferred).
• If SSLCipherSpec has explicitly named one of the parameters above, then new guidance is that this statement should be removed. At a minimum, if it is not the last SSLCipherSpec in the configuration stanza, it should be moved so that it is is the last SSLCipherSpec in the stanza.

• If you want to remove 3DES entirely (now recommended by researchers, but this may break very old clients)
• Version 7 and earlier (and z/OS prior to 9.0.0.3, 8.5.5.12, and 8.0.0.14, and 7,0,0.43)
• Remove all instances of SSLCipherSpec from the configuration file.
• After each configurations stanza with SSLEnable, append the following two lines:

SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
• Version 8 and later (excluding z/OS prior to 9.0.0.3, 8.5.5.12, and 8.0.0.14, and 7,0,0.43)
• Remove '3A', 'C008', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', or 'SSL_RSA_WITH_3DES_EDE_CBC_SHA' from any existing SSLCipherSpecdirective.
• At the bottom of each configuration stanza with SSLEnable, append the following line:

SSLCipherSpec ALL -SSL_RSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Restart the IHS WebServer to effect the changes.

More from Middleware Inventory

  • Sweet 32 Attack - Apache

    Overview Sweet32 affects TLS ciphers, also OpenSSL consider Triple DES cipher is now vulnerable as RC4 cipher . The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating…

  • Sweet 32 Attack - IIS

    Overview Sweet32 affects TLS ciphers, also OpenSSL consider Triple DES cipher is now vulnerable as RC4 cipher . The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating…

  • Cross Site Scripting Attack - Apache/IHS

    Overview   Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc. Solution Go to $Web_Server/conf directory Open…

  • Apache Clickjack
    How to Disable the Weak Ciphers – Apache/IHS

    Overview SSL Cipher is an encryption algorithm, which is used as a key between two computers over the Internet. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration and strong protocol that allows data encryption to take…

  • Poodle fix – Apache/IHS

    Overview POODLE  is an security vulnerability in SSLv3 discovered by Google. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. All the websites supporting SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. Using POODLE a hacker run Man-in-the-middle attacks attacks in your network…