Secure Socket Layer (SSL) is a secure data transmission protocol using public/private key encryption. During Managed Detection & Response (MDR) vulnerability scans, Alert Logic conducts many types of SSL vulnerability checks including the detection of weak and insecure SSL ciphers accepted by the target host. In Q1 2023, Alert Logic scanning capabilities were updated to detect 200 additional weak and insecure SSL ciphers. Many customers encountered difficulty adhering to the significant increase in detected and weak ciphers. In addition, PCI compliance was impacted for some customers that claimed it was impossible to support due to software and architecture limitations.
Alert Logic has made updates to improve how weak and insecure SSL cipher exposures are presented to MDR customers in the Alert Logic console.
Weak Ciphers Exposures
When assessing SSL ciphers in your environment, Alert Logic will now categorize detected weak and insecure ciphers under two separate security exposures identifiers (EID):
- EID 31861: SSL – Server Supports Weak SSL Ciphers is the Medium severity exposure used for weak ciphers that fail Payment Card Industry (PCI) requirements.
- EID 217808: SSL – Server Supports Insecure SSL Ciphers is the Low severity exposure used for all other SSL ciphers that are considered insecure but will not fail PCI requirements.
Both exposures are categorized under the "Reconfigure Service/ Uninstall If Unneeded" security remediation. If weak and insecure ciphers are detected during a scan, the hosts will be reported with these exposures in the Alert Logic console.
You can check if these exposures have been detected under (navigation menu) > Respond > Exposures and select Exposures from the drop-down menu.
Within the Exposure console, you can enter SSL ciphers in the Search box.
Note: If you previously disposed of insecure ciphers for the "SSL – Server Supports Weak SSL Ciphers" exposure, then they may be reported as new vulnerability instances for the "SSL – Server Supports Insecure SSL Ciphers" exposure and will require you to dispose again under the new exposure.
SSL Ciphers Groupings
Weak and insecure SSL ciphers will now be grouped into a consolidated list for a specific protocol and port instead of individually for each cipher. This will make it easier to address all the weak and insecure cipher exposures detected on a specific port and help to reduce the number of vulnerability instances reported.
Within the Exposure console, Instance Evidence details on specific weak SSL cipher(s) accepted by the host are available by clicking Open for the "SSL - Server Supports Weak SSL Ciphers" exposure.
Note: If you previously disposed of individual weak or insecure SSL ciphers for a specific protocol and port under the "SSL – Server Supports Weak SSL Ciphers" exposure, then they may be included in the consolidated list for new vulnerability instances and will require you to dispose again under the new exposure.
Additional Resources
For more information on which weak and insecure SSL ciphers are detected, and implementation guidance, see the following resources:
Comments
0 comments
Please sign in to leave a comment.