Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SWEET32 not being flagged when AES-CBC is used (False negative) #1296

Closed
nrathaus opened this issue Jul 14, 2019 · 5 comments
Closed

SWEET32 not being flagged when AES-CBC is used (False negative) #1296

nrathaus opened this issue Jul 14, 2019 · 5 comments

Comments

@nrathaus
Copy link

Please make sure that you provide enough information so that we understand what your issue is about.

  1. uname -a
    Linux cloud2-LSS4SL-c5 3.16.0-4-amd64 Heartbleed for STARTTLS #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

  2. testssl version from the banner: testssl.sh -b 2>/dev/null | head -4 | tail -2
    testssl.sh 3.0rc4 from https://testssl.sh/dev/

  3. git log | head -1 (if running from git repo)

  4. openssl version used by testssl.sh: testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'
    ./bin/openssl.Linux.x86_64

  5. steps to reproduce: testssl.sh or docker command line, if possible incl. host

  6. what exactly was happening, output is needed
    SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)

  7. what did you expect instead?
    SWEET32 (CVE-2016-2183, CVE-2016-6329) vulnerable

A target having AES-CBC enabled, for example:

Name Key
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 3072 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 3072 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 3072 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 3072 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 3072 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 3072 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 3072 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)   DH 3072 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 3072 bits   FS   WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96)   WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK 128

Will not get listed as vulnerable to SWEET32, even though it has AES_128_CBC listed as being used, based on the advisory of SWEET32 released by cloudflare this configuration is also vulnerable.

I believe
local sweet32_ciphers

Should be adjusted to include them

I can provide two domains that are not being flagged even though they should - but discreetly not in a public issue ticket
@dcooper16
Copy link
Collaborator

Hello @nrathaus,

This is not a false negative. SWEET32 is about the use of 64-bit block ciphers, such as 3DES (see https://sweet32.info/). In fact, the main recommendation on https://sweet32.info is to use AES.

Depending on the versions of SSL/TLS that your server supports, there are vulnerabilities associated with the use of CBC ciphers (including AES-CBC), such as POODLE, BEAST, and LUCKY13. However, SWEET32 isn't about the use of CBC or AES.

Can you tell of what the Cloudflare advisory said? I tried to search for this, but the only possible "hits" I found were Cloudflare support pages, which were only available to their customers.

@nrathaus
Copy link
Author

nrathaus commented Jul 15, 2019 via email

@dcooper16
Copy link
Collaborator

I am seeing a difference between SSLLabs findings of
websso.nsd.co.jp (for example) and testssl.sh

SSLlabs says it's vulnerable -
https://www.ssllabs.com/ssltest/analyze.html?d=websso.nsd.co.jp
- while testssl.sh does not flag it

I took a look at https://www.ssllabs.com/ssltest/analyze.html?d=websso.nsd.co.jp and saw no mention of SWEET32 at all. It does mark the AES-CBC ciphers as "WEAK," but that is because of various POODLE attacks, not SWEET32 (see https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities).

The only mention I could find about SWEET32 from SSL Labs was at https://blog.qualys.com/ssllabs/2017/01/18/ssl-labs-grading-changes-january-2017, where it mentions SWEET32 in relation to imposing a penalty for the use of 3DES.

@nrathaus
Copy link
Author

nrathaus commented Jul 15, 2019 via email

@drwetter
Copy link
Collaborator

Noam: Next time you should be able to close it yourself too as you opened it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nrathaus @drwetter @dcooper16