How to address SSL/TLS vulnerabilities on Windows Server 2019 (CVE-2002-20001, CVE-2022-40735,CVE-2013-2566, CVE-2015-2808, CVE-2015-4000)

Question

How to address SSL/TLS vulnerabilities on Windows Server 2019 (CVE-2002-20001, CVE-2022-40735,CVE-2013-2566, CVE-2015-2808, CVE-2015-4000)

HaveQuestionsNeedAnswers 0

Need direction with resolving (or accurately documenting false positive) two vulnerabilities that are being detected by vulnerability scans.

1 - Weak' cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA (TCP ports 636 and 3389)

2 - 'DHE' cipher suites accepted by this service via the TLSv1.2 protocol: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (TCP port 3389)

The vulnerabilities above are being detected across the board in my server environment including a DC, an RDS farm, and a few application servers.

I have tried to use the following resource to restrict the use of Ciphers without success.

https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman

https://learn.microsoft.com/en-us/answers/questions/1006253/how-to-know-which-versions-of-tls-is-are-enabled-o

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
HaveQuestionsNeedAnswers 0 Reputation points

2023-08-21T15:09:54.9+00:00

To further clarify I have used the "SSL Cipher Suite Order" GP setting to restrict suites used to the list below. Why would the detections above occur if they are not in the list below? Is this an scanner issue? if so, how can I prove?

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256

2 answers

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
HaveQuestionsNeedAnswers 0 Reputation points

2023-08-21T15:09:54.9+00:00

To further clarify I have used the "SSL Cipher Suite Order" GP setting to restrict suites used to the list below. Why would the detections above occur if they are not in the list below? Is this an scanner issue? if so, how can I prove?

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256

Answer 1

Limitless Technology 44,751

Hello there,

If you have specific reasons to keep these cipher suites enabled for compatibility with older systems or applications, you can document these vulnerabilities as false positives in your security documentation. Be sure to include a clear explanation of why these cipher suites are enabled, the associated risks, and any compensating controls you have in place to mitigate those risks.

The 'DHE' cipher suites are considered secure, but you can further enhance security by ensuring that your servers support forward secrecy. Forward secrecy ensures that even if an attacker obtains the server's private key, they cannot decrypt past communication sessions.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

HaveQuestionsNeedAnswers 0 Reputation points

2023-08-21T15:12:44.6333333+00:00

Thank you for your response, I have posted additional information on my original post. Well helpful, I am looking for more detail than the information you have provided to help me resolve the matter.

Answer 2

Simon 0

Did you every figure how to fix this?

(So CVE-2022-40735, CVE-2002-20001 dont show up when doing a vulnerability scanning.)

Share via

How to address SSL/TLS vulnerabilities on Windows Server 2019 (CVE-2002-20001, CVE-2022-40735,CVE-2013-2566, CVE-2015-2808, CVE-2015-4000)

2 answers

Your answer