SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】

2.2 漏洞详情

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】【可验证】 |
| | 详细描述 | TLS是安全传输层协议，用于在两个通信应用程序之间提供保密性和数据完整性。 TLS, SSH, IPSec协商及其他产品中使用的IDEA、DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界，这可使远程攻击者通过Sweet32攻击，获取纯文本数据。 <*来源：Karthik Bhargavan Gaetan Leurent 链接：https://www.openssl.org/news/secadv/20160922.txt *> | | 解决办法 | 建议：避免使用IDEA、DES和3DES算法 1、OpenSSL Security Advisory $22 Sep 2016$ 链接：https://www.openssl.org/news/secadv/20160922.txt 请在下列网页下载最新版本： https://www.openssl.org/source/ 2、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法主要是修改conf文件 3、Windows系统可以参考如下链接： https://social.technet.microsoft.com/Forums/en-US/31b3ba6f-d0e6-417a-b6f1-d0103f054f8d/ssl-medium-strength-cipher-suites-supported-sweet32cve20162183?forum=ws2016 https://docs.microsoft.com/zh-cn/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel | | 验证方法 | 根据SSL/TLS协议信息泄露漏洞(CVE-2016-2183)原理，通过发送精心构造的数据包到目标服务，根据目标的响应情况，验证漏洞是否存在 | | 威胁分值 | 7.5 | | 危险插件 | 否 | | 发现日期 | 2016-08-31 | | CVE编号 | CVE-2016-2183 | | BUGTRAQ | 92630 | | NSFOCUS | 34880 | | CNNVD编号 | CNNVD-201608-448 | | CNCVE编号 | CNCVE-20162183 | | CVSS评分 | 5.0 | | CNVD编号 | CNVD-2016-06765 | |---------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |

解决方案：上面已经提到了，服务器是linux系统

一、升级OpenSSL 确保您的OpenSSL库是最新的

默认情况下，使用 OpenSSL 1.0.1g 之前版本的服务器不容易受到攻击

版本升级如果是 1.1.0升级到1.1.0a(最低这个版本)

如果是 1.0.2升级到 1.0.2i

复制代码

OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

二、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法

1.打开Nginx的配置文件，通常位于/etc/nginx/nginx.conf或/usr/local/nginx/conf/nginx.conf。

在配置文件中找到ssl_ciphers参数，该参数用于指定支持的加密算法。

修改ssl_ciphers参数的值，将其设置为不包含DES算法的安全加密算法。例如，你可以将其设置为只支持强加密算法的列表，如下所示：

复制代码

ssl_ciphers EECDH+AESGCM:EECDH+AES256:EECDH+AES128:-DHE-RSA-AES256-SHA:-DHE-RSA-AES128-SHA:-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

这个例子中，!DES-CBC3-SHA表示不包括DES-CBC3-SHA算法，即不包括DES算法。

保存并关闭配置文件。

重新加载或重启Nginx服务

升级OpenSSL参考

SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】处理-CSDN博客