SSL/TLS Weak Key Exchange Supported

medium Web App Scanning Plugin ID 113316

Language:

Synopsis

SSL/TLS Weak Key Exchange Supported

Description

The remote host supports SSL/TLS key exchanges that are cryptographically weaker than recommended. Key exchanges must be recommended by IANA and should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Solution

Reconfigure the affected application, if possible to avoid the use of weak key exchange.

See Also

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Plugin Details

Severity: Medium

ID: 113316

Type: remote

Family: SSL/TLS

Published: 8/8/2022

Updated: 11/10/2022

Scan Template: api, basic, config_audit, full, pci, quick, scan, ssl_tls

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 326

OWASP: 2010-A7, 2013-A6, 2017-A3, 2021-A2

WASC: Application Misconfiguration

CAPEC: 112, 192, 20

DISA STIG: APSC-DV-002440

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.10.1.2

NIST: sp800_53-SC-12

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-9.1.2

PCI-DSS: 3.2-6.5.3, 3.2-6.5.4