Cyber Essentials Plus and Sweet32 vulnerability
I have been doing Cyber Essentials Plus certifications for several years now and one area that always seems to catch people unaware is the use of weaker ciphers in their environment, Windows especially. The main area I always find at fault is the Sweet32 vulnerability which, when detected with Tenable Nessus, reports it as a CVSS 7.5, which is a fail in the scheme.
CVSS what now?
CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:
|Low||0.1 – 3.9|
|Medium||4.0 – 6.9|
|High||7.0 – 8.9|
|Critical||9.0 – 10.0|
In case you were not aware, when performing a Cyber Essentials audit, you have a vulnerability assessment performed against your internal network which is in scope of the assessment (as well as your external gateway), if any findings have a score of CVSS 7.0 or above this is classed as a fail and needs to be remediated before you can achieve the certification.
This blog article has been partially written to try and help people understand what they need to do to resolve this issue and help them achieve Cyber Essentials Plus easier as well as raising awareness of not having weaker SSL ciphers enabled within the environment.
What is Sweet32?
The Sweet32 vulnerability has been around since 2016, Sweet32 is the name of the attack that was released by a pair of security researchers that were based at the French National Research Institute for Computer Science (INRIA).
Their findings where assigned the CVE’s CVE-2016-2183 and CVE-2016-6329, it was found that the attack takes advantage of a design weakness in some SSL ciphers, the ciphers, are used in common protocols such as TLS, SSH, IPSec and OpenVPN.
The attack makes use of older ciphers which are known to be weaker and offer less protection against attacks, the Sweet32 attack allows an attacker, in certain limited circumstances, to recover small portions of plaintext when encrypted with 64-bit block ciphers, such as (3DES and Blowfish).
What are Block ciphers
Block ciphers are a type of symmetric algorithm that encrypts plaintext in blocks, as the name implies, rather than bit-by-bit. One of the characteristics of such ciphers is the block length; which determines the size of the chunks into which the plaintext is split and then encrypted. Importantly, the block length of the cipher is independent of the length of the key. So even if you choose a large key size for your encryption, the block length of the cipher can impose its own limitations, and in this case, vulnerabilities.
How can I remove the Sweet32 vulnerability?
To help protect against this vulnerability, you need to disable some older ciphers in the registry, this can be done as follows:
To disable RC4 on your Windows server, set the following registry keys:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] “Enabled”=dword:00000000
To disable 3DES on your Windows server, set the following registry key:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] “Enabled”=dword:00000000
If your Windows version is anterior to Windows Vista (i.e. XP, 2003), you will need to set the following registry key:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] “Enabled”=dword:00000000