Description

The server allows the usage of insecure TLS protocol versions.

Impact

Compromise sensitive information that travels between client and server.

Recommendation

Update TLS protocol to version TLSv1.2 or TLSv1.3 if possible.

Threat

Unauthorized attacker from adjacent network.

Expected Remediation Time

⌚ 100 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

• Attack vector: A
• Attack complexity: H
• Privileges required: N
• User interaction: R
• Scope: U
• Confidentiality: L
• Integrity: N
• Availability: N

Temporal

• Exploit code maturity: P
• Remediation level: O
• Report confidence: R

Result

• Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
• Score:
• Base: 2.6
• Temporal: 2.3
• Severity:
• Base: Low
• Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Result 4.0

• Vector string: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
• Score:
• CVSS-BT: 1.2
• Severity:
• CVSS-BT: Low

Details

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.

The most common and well-known use of SSL/TLS is secure web browsing via the HTTPS protocol. Users visiting an HTTPS website can be assured of:

- Authenticity, The server presenting the certificate is in possession of the private key that matches the public key in the certificate.

- Integrity, Documents signed by the certificate (e.g. web pages) have not been altered in transit by a man in the middle.

- Encryption, Communications between the client and server are encrypted.

Because of these properties, SSL/TLS and HTTPS allow users to securely transmit confidential information such as credit card numbers, social security numbers, and login credentials over the internet, and be sure that the website they are sending them to is authentic.

With an insecure HTTP website, these data are sent as plain text, readily available to any eavesdropper with access to the data stream. Furthermore, users of these unprotected websites have no trusted third-party assurance that the website they are visiting is what it claims to be.

Requirements

• 148.Set minimum size of asymmetric encryption
• 149.Set minimum size of symmetric encryption
• 150.Set minimum size for hash functions
• 181.Transmit data using secure protocols
• 336.Disable insecure TLS versions

Fixes

• Swift
• Java
• Elixir
• Go
• Ruby
• Aws
• PHP
• Scala
• Python
• Azure

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.