Task #12572
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - TLS/SSL Server Is Using Commonly Used Prime Numbers [LOW]
Status: | Closed - End of life cycle | Start date: | November 08, 2021 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Penetration Test Issue | Spent time: | - | |
Target version: | - |
Description
The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session.
Solution provided by LGMS :
Configure the server to use a randomly generated Diffie-Hellman group. It's recommend to generate a 2048-bit group. The simplest way of generating a new group is to use OpenSSL:
openssl dhparam -out dhparams.pem 2048
To use the DH parameters in newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, directly specify DH params file as follows:
SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
If Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later is in use, append the DHparams generated earlier to the end of the certificate file and reload the configuration.
For other products see https://weakdh.org/sysadmin.html the remediation steps suggested by the original researchers.
History
#1 Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from New - Begin Life Cycle to System Integration Test
- Assignee changed from Chun Feng Lim to Nurul Athira Abdul Rahim
- % Done changed from 0 to 90
No availavle patch form IBM for the latest TLSv1.2 Ciphers.
#2 Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from System Integration Test to Closed - End of life cycle
- % Done changed from 90 to 100
Closed, now refer latest pentest 2023