漏洞原理参考资料[1],简单来说就是,当服务器SSL/TLS的瞬时Diffie-Hellman公共密钥小于等于1024位时,存在可以恢复纯文本信息的风险。
复现方法很简单,使用nmap -sV -Pn --script ssl-dh-params port ip 命令扫描[2],存在如下漏洞信息:
nmap.exe -sV -Pn --script ssl-dh-params 443 192.168.1.10Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-09 11:14Nmap scan report for 192.168.1.10Host is up (0.0033s latency).Not shown: 996 closed tcp ports (reset)…| ssl-dh-params:| VULNERABLE:| Diffie-Hellman Key Exchange Insufficient Group Strength| State: VULNERABLE| Transport Layer Security (TLS) services that use Diffie-Hellman groups| of insufficient strength, especially those using one of a few commonly| shared groups, may be susceptible to passive eavesdropping attacks.| Check results:| WEAK DH GROUP 1| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256| Modulus Type: Safe prime| Modulus Source: RFC2409/Oakley Group 2| Modulus Length: 1024| Generator Length: 8| Public Key Length: 1024| References:|_ https://weakdh.org参考[3,4],修改方案如下:
[root@node1 etc]# cat org.ops4j.pax.web.cfg...# Excluded SSL/TLS Cipher Suites comma-separated list of Regular Expressionsorg.ops4j.pax.web.ssl.ciphersuites.excluded=.*NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.*,TLS_DHE.*,SSL.*,.*anon.*,.*EXPORT.*修改后,再次使用nmap -sV -Pn --script ssl-dh-params port ip查看扫描结果,漏洞解决:
nmap.exe -sV -Pn --script ssl-dh-params 443 192.168.1.10(主机IP)Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-07 11:53Nmap scan report for 192.168.1.10Host is up (0.0032s latency).Not shown: 997 closed tcp ports (resetPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)111/tcp open rpcbind 2-4 (RPC #100000)...Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.74 seconds 需要注意的是,添加完上面的参数后,可能会出现一个新的问题,扫描结果如下:
nmap.exe -sV --script ssl-enum-ciphers -p 443 192.168.1.10Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-20 22:26 CSTNmap scan report for matrix-node1 (192.168.1.10)Host is up (0.000064s latency).PORT STATE SERVICE VERSION443/tcp open https-alt| ssl-enum-ciphers:| TLSv1.0:| ciphers:| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong| ...| compressors:| NULL| TLSv1.1:| ciphers:| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong| ...| compressors:| NULL| TLSv1.2:| ciphers:| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong| ...| compressors:| NULL|_ least strength: strong修改配置之前,扫描结果里显示仅开启了TLSv1.2,而修改配置之后,发现TLSv1.0和TLSv1.1都被开启了,这俩协议也是需要关闭:
[root@node1 etc]# cat org.ops4j.pax.web.cfg...# Excluded SSL/TLS Cipher Suites comma-separated list of Regular Expressionsorg.ops4j.pax.web.ssl.ciphersuites.excluded=.*NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.*,TLS_DHE.*,SSL.*,.*anon.*,.*EXPORT.*org.ops4j.pax.web.ssl.protocols.excluded=TLSv1,TLSv1.1| 留言与评论(共有 0 条评论) “” |
