相关文章推荐
酒量大的乒乓球  ·  sql 在关键字 'EXCEPT' ...·  1 年前    · 
完美的草稿本  ·  input.focus()失效 - 掘金·  1 年前    · 
帅呆的豌豆  ·  python ...·  1 年前    · 
成熟的橡皮擦  ·  如何实现多个Git仓库同步_Appleex的 ...·  1 年前    · 
Code  ›  openssl漏洞检查修复_wx63626bb577bb3的技术博客_
ssh aes加密 openssl sha256
https://blog.51cto.com/u_15859002/5827329
安静的橙子
1 年前


漏洞发现 

[root@localhost Git]# nmap -sV --script ssl-enum-ciphers -p 8888 x.x.x.x
Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-14 21:52 CST
Stats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for x.x.x.x
Host is up (0.047s latency).
PORT     STATE SERVICE    VERSION
8888/tcp open  ssl/abyss?
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: weak

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.05 seconds

漏洞描述
TLS, SSH, IPSec协商及其他产品中使用的IDEA、DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界,这可使远程攻击者通过Sweet32攻击,获取纯文本数据。
TLS是安全传输层协议,用于在两个通信应用程序之间提供保密性和数据完整性。


漏洞解决
重点:避免使用IDEA、DES和3DES算法
1、OpenSSL Security Advisory [22 Sep 2016]
链接:https://www.openssl.org/news/secadv/20160922.txt
请在下列网页下载最新版本:
​​ ​ https://www.openssl.org/source/​ ​​ 2、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法
主要是修改conf文件
3、Windows系统可以参考如下链接:
https://social.technet.microsoft.com/Forums/en-US/31b3ba6f-d0e6-417a-b6f1-d0103f054f8d/ssl-medium-strength-cipher-suites-supported-sweet32cve20162183?forum=ws2016
https://docs.microsoft.com/zh-cn/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

4、如果是tcp+ssl(tcp服务端然后用ssl加密数据流)服务端,这时候我们调用的是openssl.so的库函数对数据进行加解密,同样可以指定加密算法套件,这里只列出关键代码: 

ctx = SSL_CTX_new(TLSv1_2_server_method());

    if (!SSL_CTX_set_cipher_list(ctx, "RSA+AES")) {
        Log("error in cipher list");
        goto err_ssl;
    }

漏洞验证 

[root@localhost GitHub]# nmap -sV --script ssl-enum-ciphers -p 8888 x.x.x.x

Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-14 21:42 CST
Stats: 0:01:48 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for x.x.x.x
Host is up (0.044s latency).
PORT     STATE SERVICE    VERSION
8888/tcp open  ssl/abyss?
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.03 seconds

检查ssh

登陆本机检查ssh使用的所有加密套件 

[root@ii bin]# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

远程通过nmap扫ssh开启的加密套件 

[root@localhost xxx]# nmap --script ssh2-enum-algos -sV -p 22 xxx.xxx.xxx.xxx
Starting Nmap 6.40 ( http://nmap.org ) at 2022-10-08 10:17 CST
Nmap scan report for 8.140.187.195
Host is up (0.037s latency).
PORT     STATE SERVICE VERSION
9990/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms (12)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms (12)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|       aes128-cbc
|       aes192-cbc
|       aes256-cbc
|       blowfish-cbc
|       cast128-cbc
|       3des-cbc
|   mac_algorithms (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds

修改ssh配置

报错

-- Unit sshd.service has begun starting up.
Oct 08 10:37:08 xxx sshd[10523]: /etc/ssh/sshd_config line 41: Deprecated option RSAAuthentication
Oct 08 10:37:08 xxx sshd[10523]: /etc/ssh/sshd_config line 178: Directive 'Ciphers' is not allowed within a Match block
Oct 08 10:37:08 xxx systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Oct 08 10:37:08 xxx systemd[1]: Failed to start OpenSSH server daemon. 

[root@xxx bin]# vim /etc/ssh/sshd_config
#如果ssh中sftp配置过下面两句,需要将ssh相关配置放在这两句之前
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

Subsystem sftp internal-sftp
Match Group sftp

参考

​​CVE-2016-2183 修复过程,亲测有效 - SegmentFault 思否​​

​修复DES和Triple DES 信息泄露漏洞(CVE-2016-2183) | 易学教程​

 
推荐文章
酒量大的乒乓球  ·  sql 在关键字 'EXCEPT' 附近有语法错误。_百度知道
1 年前
完美的草稿本  ·  input.focus()失效 - 掘金
1 年前
帅呆的豌豆  ·  python xlwings读取excel文件(只读取)_一晌小贪欢的博客-CSDN博客
1 年前
成熟的橡皮擦  ·  如何实现多个Git仓库同步_Appleex的技术博客_51CTO博客
1 年前
今天看啥   ·   Py中国   ·   codingpro   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
Code - 代码工具平台
© 2024 ~ 沪ICP备11025650号