Nexpose Vulnerability Database

Or, Browse latest vulnerabilities
Search Hints
  • Try searching for a product or vendor.
  • Only vulnerabilities that match all search terms will be returned.
  • Enclose search terms in double quotes for an exact search.
  • For CVE searches, only enter the CVE-YYYY-XXXX code.

Get Nexpose now

Search vulnerabilities with Rapid7's vulnerability management solution

FREE DOWNLOAD

TLS/SSL Server Supports SSLv2

Severity   CVSS   Published   Added   Modified  
Severe (5) 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Jan 1, 1996 Feb 9, 2009 Jan 28, 2011

Description:

Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed between a client and the server, including the following weaknesses:

  • No protection from against man-in-the-middle attacks during the handshake.
  • Weak MAC construction and MAC relying solely on the MD5 hash function.
  • Exportable cipher suites unnecessarily weaken the MACs
  • Same cryptographic keys used for message authentication and encryption.
  • Vulnerable to truncation attacks by forged TCP FIN packets

SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment Card Industry) Data Security Standard.

Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also supported.

Vulnerability Management

Get your solution now

 FREE DOWNLOAD

References:

Solution:

Disable SSLv2 protocol support

Configure the server to require clients to use at least SSLv3 or TLS.

For Microsoft IIS web servers, see Microsoft Knowledgebase article Q187498 for instructions on disabling SSL 2.0.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2

The ! (exclamation point) before SSLv2 is what disables this protocol.

Download Nexpose

Download our vulnerability management solution, Nexpose, for free today. Scan 100% of your infrastructure for vulnerabilities, understand your risk exposure, compare and prioritize your vulnerabilities and verify that they are remediated.