Task #12571
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - Diffie-Hellman Group Smaller Than 2048 Bits [LOW]
| Status: | Closed - End of life cycle | Start date: | November 08, 2021 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Penetration Test Issue | Spent time: | - | |
| Target version: | - |
Description
The web server uses a Diffie-Hellman group with a prime modulus of less than 2048 bits in length. Current estimates are that that an academic team can break a 768-bit prime and that a state-level actor can break a 1024-bit prime.
Solution provided by LGMS :
Please refer to this https://weakdh.org/sysadmin.html guide to deploying Diffie-Hellman for TLS for instructions on how to configure the server to use 2048-bit or stronger Diffie-Hellman groups with safe primes.
'TLSv1.2 Ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024)
History
#1
Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from New - Begin Life Cycle to System Integration Test
- Assignee changed from Chun Feng Lim to Nurul Athira Abdul Rahim
- % Done changed from 0 to 90
In WebSphere we had enforced tls1.2 and disable older tls versions.
#2
Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#3
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to System Integration Test
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
LGMS solution not possible based on CF comment.
CF:
Listed TLS were used by IBM WAS Application and default supported TLS encrption under strong cipher suite groups settings. Not recommened to be changed as it might affect communucations among webspheres
#4
Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from System Integration Test to Closed - End of life cycle
- % Done changed from 90 to 100
Closed for this and refer new 2023/2024 pentest report