How to remediate – SSL Null Cipher Suites Supported

1. Introduction

The SSL Null Cipher Suites Supported vulnerability means a service is allowing connections that don’t use encryption. This makes it easier for attackers to intercept sensitive data like usernames and passwords. Systems running web servers, email services, or any application using TLS/SSL are usually affected. A successful exploit could lead to complete loss of confidentiality of data in transit.

2. Technical Explanation

This vulnerability occurs when a server is configured to accept SSL cipher suites that offer no encryption at all. An attacker can negotiate a connection using one of these null ciphers, bypassing security measures. Exploitation is simpler if the attacker has network access to the affected host.

• Root cause: The server’s TLS/SSL configuration includes support for cipher suites like SSLv2 or SSLv3 with no encryption.
• Exploit mechanism: An attacker uses a tool like OpenSSL s_client to connect to the server and negotiate a null cipher suite connection, allowing them to intercept traffic in plain text. For example, `openssl s_client -connect target.example.com:443 -ssl3`.
• Scope: Affected platforms include servers running Apache, Nginx, Microsoft IIS, and other web servers using OpenSSL or similar TLS/SSL libraries. Older versions are more likely to be vulnerable.

3. Detection and Assessment

You can confirm a vulnerability by checking the server’s SSL configuration. A quick check is to use an online SSL checker tool. For a thorough assessment, use a dedicated security scanner.

• Quick checks: Use `nmap –script ssl-enum-ciphers -p 443 target.example.com` to list supported ciphers. Look for any cipher suites with “NULL” in the name.
• Scanning: Nessus plugin ID 3a040ada identifies this vulnerability. Other scanners may have similar checks.
• Logs and evidence: Check server logs for TLS/SSL handshake events, looking for negotiation of weak or null ciphers. Event IDs vary by server software.

nmap --script ssl-enum-ciphers -p 443 target.example.com

4. Solution / Remediation Steps

Reconfigure the affected application to disable support for null cipher suites. This is usually done in the server’s TLS/SSL configuration file.

4.1 Preparation

• Ensure you have access to the server’s configuration files and understand the impact of changing SSL settings. A roll back plan is to restore the original configuration file.
• A change window may be required, depending on service criticality. Approval from a senior IT administrator might be necessary.

4.2 Implementation

1. Step 1: Edit the server’s TLS/SSL configuration file (e.g., Apache’s httpd.conf or Nginx’s nginx.conf).
2. Step 2: Remove any lines that enable SSLv3, TLSv1, or cipher suites containing “NULL”.
3. Step 3: Restart the web service to apply the changes.

4.3 Config or Code Example

Before

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL

After

SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege limits the impact of a successful exploit. Regular patch management ensures you have the latest security updates. Secure defaults reduce the risk of misconfiguration.

• Practice 1: Implement least privilege principles, limiting access to sensitive configuration files and services.
• Practice 2: Maintain a regular patch cadence for all server software, including TLS/SSL libraries.

4.5 Automation (Optional)

# Example PowerShell script to check SSL configuration (requires OpenSSL module)
Get-ChildItem -Path "C:Program FilesOpenSSL-Win64bin" | Where-Object {$_.Name -like "openssl.cfg"} | ForEach-Object {
  $configFilePath = $_.FullName
  # Read the config file and check for SSLv3 or NULL ciphers (example only)
  if ((Get-Content $configFilePath) -match "SSLProtocol all") {
    Write-Host "Warning: SSLProtocol all is enabled in configuration file."
  }
}

5. Verification / Validation

• Post-fix check: Run `nmap –script ssl-enum-ciphers -p 443 target.example.com` again and confirm that no cipher suites containing “NULL” are listed.
• Re-test: Re-run the Nessus scan (plugin ID 3a040ada) to verify that the vulnerability is resolved.
• Monitoring: Monitor server logs for TLS/SSL handshake events, looking for any unexpected errors or weak cipher negotiation attempts.

nmap --script ssl-enum-ciphers -p 443 target.example.com

6. Preventive Measures and Monitoring

Update security baselines to include strong TLS/SSL configuration requirements. Implement automated checks in your CI/CD pipeline to prevent weak cipher suites from being deployed. Regularly review server configurations for compliance.

• Baselines: Update a security baseline or policy (for example, CIS control 14) to require disabling SSLv3 and using strong cipher suites.
• Pipelines: Add SAST or SCA checks in your CI/CD pipeline to scan configuration files for weak TLS/SSL settings.
• Asset and patch process: Implement a monthly review cycle of server configurations, checking against security baselines.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Older browsers or applications may not be able to connect if TLSv1 is disabled.
• Risk or side effect 2: Incorrectly configured SSL settings can cause service outages.
• Roll back: Restore the original TLS/SSL configuration file and restart the web service.

8. References and Resources

• Vendor advisory or bulletin: http://www.nessus.org/u?3a040ada
• NVD or CVE entry: No specific CVE is listed for this general issue, but related vulnerabilities can be found on the NVD website.
• Product or platform documentation relevant to the fix: Refer to your web server’s documentation (e.g., Apache SSL/TLS Configuration Guide).