[研究] Nessus 報告 Splunk port 8089 有 35291 - SSL Certificate Signed Using Weak Hashing Algorithm 弱點
2021-06-01
35291 - SSL Certificate Signed Using Weak Hashing Algorithm
Synopsis
An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are
known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the
affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the
SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
Risk Factor
Medium
CVSS v3.0 Base Score
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVSS v3.0 Temporal Score
6.7 (CVSS:3.0/E:P/RL:O/RC:C)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.9 (CVSS2#E:POC/RL:OF/RC:C)
References
BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310
Plugin Information
Published: 2009/01/05, Modified: 2020/04/27
Plugin Output
tcp/8089/www
The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.
|-Subject : C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/E=support@splunk.com
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : May 11 19:51:37 2015 GMT
|-Valid To : May 08 19:51:37 2025 GMT
|-Subject : CN=aplog.nccst.nat.gov.tw/O=SplunkUser
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : May 09 06:43:09 2017 GMT
|-Valid To : May 08 06:43:09 2020 GMT
解法可參考 (未實際測試完畢)
SPLUNK SSL Certificate Signed Using Weak Hashing Algorithm @ 肉鬆哥 & Mini Cooper :: 隨意窩 Xuite日誌
How to self-sign certificates - Splunk Documentation (7.0.2)
https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates
How to self-sign certificates - Splunk Documentation ( 8.1.3)
https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Howtoself-signcertificates
過程如果出現 unknown option -CAcreaterial
請把 -CAcreaterial 拿掉
(完)
沒有留言:
張貼留言