Think you have a false positive on this rule?

Sid 1-40186

Message

POLICY-OTHER SSL weak 3DES cipher suite use attempt

Summary

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Impact

CVSS base score 5.3 CVSS impact score 1.4 CVSS exploitability score 3.9 confidentialityImpact LOW integrityImpact NONE availabilityImpact NONE

CVE-2016-2183:

CVSS base score 5.3

CVSS impact score 1.4

CVSS exploitability score 3.9

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Detailed information

CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Affected systems

  • cisco contentsecuritymanagement_appliance 9.6.6-068
  • cisco contentsecuritymanagement_appliance 9.7.0-006
  • openssl openssl 1.0.1a
  • openssl openssl 1.0.1b
  • openssl openssl 1.0.1c
  • openssl openssl 1.0.1d
  • openssl openssl 1.0.1e
  • openssl openssl 1.0.1f
  • openssl openssl 1.0.1g
  • openssl openssl 1.0.1h
  • openssl openssl 1.0.1i
  • openssl openssl 1.0.1j
  • openssl openssl 1.0.1k
  • openssl openssl 1.0.1l
  • openssl openssl 1.0.1m
  • openssl openssl 1.0.1n
  • openssl openssl 1.0.1o
  • openssl openssl 1.0.1p
  • openssl openssl 1.0.1q
  • openssl openssl 1.0.1r
  • openssl openssl 1.0.1t
  • openssl openssl 1.0.2a
  • openssl openssl 1.0.2b
  • openssl openssl 1.0.2c
  • openssl openssl 1.0.2d
  • openssl openssl 1.0.2e
  • openssl openssl 1.0.2f
  • openssl openssl 1.0.2h
  • python python 2.7
  • python python 3.3
  • python python 3.4.0
  • python python 3.5
  • python python 3.6
  • redhat jbossenterpriseapplication_platform 6.0.0
  • redhat jbossenterpriseweb_server 1.0.0
  • redhat jbossenterpriseweb_server 2.0.0
  • redhat jbosswebserver 3.0
  • redhat enterprise_linux 5.0
  • redhat enterprise_linux 6
  • redhat enterprise_linux 7.0

Ease of attack

CVE-2016-2183:

Access Vector

Access Complexity

Authentication

False positives

None known

False negatives

None known

Corrective action

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References