1. Introduction
The SSL/TLS Null Cipher Suites Supported vulnerability means a system allows connections using encryption methods that provide no actual security. This is because it permits ciphers which don’t encrypt data, leaving communications open to eavesdropping and manipulation. It affects servers and applications configured to accept TLS connections, particularly older systems or those with permissive configurations. A successful exploit could lead to complete loss of confidentiality, integrity, and availability of transmitted data.
2. Technical Explanation
This vulnerability occurs when a server is configured to support SSL/TLS cipher suites that offer no encryption. Attackers can then negotiate a connection using one of these null ciphers, bypassing security measures. The precondition for exploitation is the availability of an application or service accepting TLS connections with unsupported cipher suites enabled. CWE-319 covers this issue.
- Root cause: The server allows the negotiation of SSL/TLS cipher suites that do not provide encryption.
- Exploit mechanism: An attacker uses a tool like OpenSSL’s s_client to connect to the server and explicitly request a null cipher suite, forcing the use of an unencrypted connection.
- Scope: Affects servers running any TLS implementation (e.g., OpenSSL, GnuTLS, Microsoft SSL/TLS) with improperly configured cipher suites.
3. Detection and Assessment
You can check for this vulnerability by examining the supported cipher suites of a server. A quick check involves using an online SSL checker or command-line tool to view the configuration. For a thorough assessment, use a dedicated network scanner.
- Quick checks: Use OpenSSL’s s_client command:
openssl s_client -connect target.example.com:443Look for cipher suites starting with “NULL”.
- Scanning: Nessus plugin ID 10875 can detect this issue. Qualys SSL Labs also reports on unsupported ciphers. These are examples only, and results should be verified.
- Logs and evidence: Server logs may show the negotiated cipher suite during connection establishment. Look for entries indicating a NULL cipher was used.
openssl s_client -connect target.example.com:4434. Solution / Remediation Steps
The solution is to reconfigure the affected application or server to disable support for null cipher suites. This ensures only secure encryption methods are used.
4.1 Preparation
- Ensure you have access to the server’s TLS configuration files. A rollback plan is to restore the original configuration file.
- A change window may be required for critical services, with approval from the security team.
4.2 Implementation
- Step 1: Identify the TLS configuration file (e.g., Apache httpd.conf, Nginx nginx.conf, or server certificate store).
- Step 2: Edit the configuration file to remove any lines enabling null cipher suites. This often involves commenting out or deleting entries like “SSLProtocol all -SSLv2 -SSLv3” and ensuring no NULL ciphers are listed in the `SSLCipherSuite` directive.
- Step 3: Restart the affected service to apply the changes.
4.3 Config or Code Example
Before
SSLCipherSuite ALL:!ADH:!eNULLAfter
SSLCipherSuite HIGH:!aNULL:!MD54.4 Security Practices Relevant to This Vulnerability
Several security practices help prevent this issue. Least privilege limits the impact of a compromised service. Secure defaults ensure systems start with strong configurations. Patch cadence ensures timely updates address known vulnerabilities.
- Practice 1: Implement least privilege, restricting access to TLS configuration files and services.
- Practice 2: Use secure defaults when configuring TLS, avoiding permissive settings that allow weak ciphers.
4.5 Automation (Optional)
Ansible can automate the update of TLS configurations across multiple servers.
---
- hosts: webservers
tasks:
- name: Remove NULL cipher suites from Apache configuration
lineinfile:
path: /etc/apache2/mods-enabled/ssl.conf
regexp: '^SSLCipherSuite ALL:!ADH:!eNULL'
state: absent
notify: Restart Apache
handlers:
- name: Restart Apache
service:
name: apache2
state: restarted5. Verification / Validation
- Post-fix check: Run
openssl s_client -connect target.example.com:443and confirm no cipher suites starting with “NULL” are listed.
- Re-test: Re-run the initial OpenSSL command to ensure null ciphers are not supported.
- Smoke test: Access a key application page over HTTPS to verify functionality remains intact.
- Monitoring: Monitor server logs for any connection attempts using unsupported cipher suites, as this could indicate misconfiguration or attempted exploitation.
openssl s_client -connect target.example.com:4436. Preventive Measures and Monitoring
Update security baselines to include strong TLS configurations. Implement checks in CI/CD pipelines to prevent deployments with weak ciphers. Establish a regular patch review cycle.
- Baselines: Update your server hardening baseline (e.g., CIS benchmark) to enforce secure TLS settings.
- Asset and patch process: Review security patches regularly, prioritizing those addressing TLS vulnerabilities.
7. Risks, Side Effects, and Roll Back
Removing null cipher suites may cause compatibility issues with very old clients that do not support modern encryption methods. The roll back plan is to restore the original configuration file.
- Risk or side effect 2: Service interruption if the configuration is incorrect. Mitigation: Have a rollback plan in place.
- Roll back: Restore the original TLS configuration file and restart the service.
8. References and Resources
- Vendor advisory or bulletin: Check your server vendor’s security advisories for specific guidance.
- NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2016-0703
- Product or platform documentation relevant to the fix: Refer to your server’s TLS configuration documentation (e.g., OpenSSL documentation).