Service Virtualization

  • Private Community
 View Only

 In scanning windows server 2012 detected with weak SSL/TLS Key Exchange vulnerabilities for port no 8443

Sudhir Marathe's profile image
Sudhir Marathe posted Nov 09, 2023 01:27 PM

Dear Team,

In server scanning following vulnerability found on windows server 2012.   Placed below details which found in vulnerability report.  Suggested solution is proper solution.  Unable to find the exact solution.  Can you please check and assist with exact fix.

Issue: Windows server 2012 detected with weak SSL/TLS Key Exchange for port no 8443

QID Detection Logic:

For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak and List all server supported ciphers for each weak key exchange method supported by Server. 

The criteria of a weak KEX method is as follows:

The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges or 224 bits for Elliptic Curve Diffie Hellman key exchanges.

Impact:  An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content.

Solution:

Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges used on the server should provide at least 112 bits of security, so the minimum key size to not flag this QID should be:

2048 bit key size for Diffie Hellman (DH) or RSA key exchanges

224 bit key size for Elliptic Curve Diffie Hellman (EDCH) key exchanges.

Results:

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PROTOCOL               CIPHER                  NAME GROUP          KEY-SIZE            FORWARD-SECRET     CLASSICAL-STRENGTH            QUANTUM-STRENGTH

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TLSv1.2            DHE-RSA-AES128-SHA            DHE                1024                         yes                                           80                                           low#

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Shiney Abraham's profile image
Broadcom Employee Shiney Abraham posted Nov 10, 2023 10:43 AM

Please review the below KB  article:

 https://knowledge.broadcom.com/external/article?articleId=251607