SSL/TLS Certificate RSA Keys Less Than 2048 bits

medium Web App Scanning Plugin ID 112540

Language:

Synopsis

SSL/TLS Certificate RSA Keys Less Than 2048 bits

Description

The remote server certificate has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits. Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.

Solution

Replace the certificate with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate.

Plugin Details

Severity: Medium

ID: 112540

Type: remote

Family: SSL/TLS

Published: 2/1/2019

Updated: 7/13/2023

Scan Template: api, basic, config_audit, full, pci, quick, scan, ssl_tls

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Low

Base Score: 3.2

Vector: CVSS2#AV:A/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 326

OWASP: 2010-A7, 2013-A6, 2017-A3, 2021-A2

WASC: Application Misconfiguration

CAPEC: 112, 192, 20

DISA STIG: APSC-DV-002440

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.10.1.2

NIST: sp800_53-SC-12

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-9.1.2

PCI-DSS: 3.2-6.5.3, 3.2-6.5.4