2.2 漏洞详情
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】 【可验证】 |
| | 详细描述 | TLS是安全传输层协议,用于在两个通信应用程序之间提供保密性和数据完整性。 TLS, SSH, IPSec协商及其他产品中使用的IDEA、DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界,这可使远程攻击者通过Sweet32攻击,获取纯文本数据。 <*来源:Karthik Bhargavan Gaetan Leurent 链接:https://www.openssl.org/news/secadv/20160922.txt *> | | 解决办法 | 建议:避免使用IDEA、DES和3DES算法 1、OpenSSL Security Advisory [22 Sep 2016] 链接:https://www.openssl.org/news/secadv/20160922.txt 请在下列网页下载最新版本: https://www.openssl.org/source/ 2、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法 主要是修改conf文件 3、Windows系统可以参考如下链接: https://social.technet.microsoft.com/Forums/en-US/31b3ba6f-d0e6-417a-b6f1-d0103f054f8d/ssl-medium-strength-cipher-suites-supported-sweet32cve20162183?forum=ws2016 https://docs.microsoft.com/zh-cn/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel | | 验证方法 | 根据SSL/TLS协议信息泄露漏洞(CVE-2016-2183)原理,通过发送精心构造的数据包到目标服务,根据目标的响应情况,验证漏洞是否存在 | | 威胁分值 | 7.5 | | 危险插件 | 否 | | 发现日期 | 2016-08-31 | | CVE编号 | CVE-2016-2183 | | BUGTRAQ | 92630 | | NSFOCUS | 34880 | | CNNVD编号 | CNNVD-201608-448 | | CNCVE编号 | CNCVE-20162183 | | CVSS评分 | 5.0 | | CNVD编号 | CNVD-2016-06765 | |---------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
解决方案:上面已经提到了,服务器是linux系统
一、升级OpenSSL 确保您的OpenSSL库是最新的
默认情况下,使用 OpenSSL 1.0.1g 之前版本的服务器不容易受到攻击
版本升级如果是 1.1.0升级到1.1.0a(最低这个版本)
如果是 1.0.2升级到 1.0.2i
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
二、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法
1.打开Nginx的配置文件,通常位于/etc/nginx/nginx.conf或/usr/local/nginx/conf/nginx.conf。
在配置文件中找到ssl_ciphers参数,该参数用于指定支持的加密算法。
修改ssl_ciphers参数的值,将其设置为不包含DES算法的安全加密算法。例如,你可以将其设置为只支持强加密算法的列表,如下所示:
ssl_ciphers EECDH+AESGCM:EECDH+AES256:EECDH+AES128:-DHE-RSA-AES256-SHA:-DHE-RSA-AES128-SHA:-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
这个例子中,!DES-CBC3-SHA表示不包括DES-CBC3-SHA算法,即不包括DES算法。
保存并关闭配置文件。
重新加载或重启Nginx服务
升级OpenSSL参考