bobcares.com Open in urlscan Pro
199.117.154.13 Public Scan

Back to summary

Submitted URL:
https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/
Effective URL:
https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/
Submission: On April 05 via manual (April 5th 2023, 7:32:15 pm UTC) from US — Scanned from DE

Form analysis
3 forms found in the DOM

POST https://bobcares.com/wp-comments-post.php

<form action="https://bobcares.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
  <p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
  <p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
  <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
  </p>
  <p class="form-submit"><button name="submit" type="submit" id="et_pb_submit" class="submit">Submit Comment</button> <input type="hidden" name="comment_post_ID" value="32390" id="comment_post_ID"> <input type="hidden" name="comment_parent"
      id="comment_parent" value="0"> </p>
  <p style="display:none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="ca613fb372"></p>
  <p style="display:none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="79"><template
      data-nitro-marker-id="f7c77ab2022772e17edd517dfab38298-1"></template></p>
</form>

GET https://bobcares.com/

<form role="search" method="get" class="et_pb_searchform" action="https://bobcares.com/">
  <div> <label class="screen-reader-text" for="s">Search for:</label> <input type="text" name="s" placeholder="Search" class="et_pb_s"> <input type="hidden" name="et_pb_searchform_submit" value="et_search_proccess"> <input type="hidden"
      name="et_pb_include_posts" value="yes"> <input type="submit" value="Search" class="et_pb_searchsubmit"> </div>
</form>

POST

<form method="post" class="gdpr-privacy-preferences-frm"> <input type="hidden" name="action" value="gdpr_update_privacy_preferences"> <input type="hidden" id="update-privacy-preferences-nonce" name="update-privacy-preferences-nonce"
    value="a11cdaeaf0"><input type="hidden" name="_wp_http_referer" value="/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/">
  <header>
    <div class="gdpr-box-title">
      <h3>Privacy Preference Center</h3> <span class="gdpr-close"></span>
    </div>
  </header>
  <div class="gdpr-mobile-menu"> <button type="button">Options</button> </div>
  <div class="gdpr-content">
    <div class="gdpr-tabs">
      <ul class="">
        <li><button type="button" class="gdpr-tab-button gdpr-active" data-target="gdpr-consent-management">Consent Management</button></li>
        <li><button type="button" class="gdpr-tab-button gdpr-cookie-settings" data-target="necessary">Cookie Settings</button>
          <ul class="gdpr-subtabs">
            <li><button type="button" data-target="necessary">Necessary</button></li>
            <li><button type="button" data-target="advertising">Statistics</button></li>
            <li><button type="button" data-target="analytics">Marketing</button></li>
            <li><button type="button" data-target="other">Security</button></li>
          </ul>
        </li>
      </ul>
      <ul class="gdpr-policies">
        <li><a href="https://bobcares.com/privacy-policy/" target="_blank">Privacy Policy</a></li>
      </ul>
    </div>
    <div class="gdpr-tab-content">
      <div class="gdpr-consent-management gdpr-active">
        <header>
          <h4>Consent Management</h4>
        </header>
        <div class="gdpr-info">
          <p>When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect
            it to. The information does not usually directly identify you, but it can give you a more personalized web experience.<br> <br> Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the
            different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.</p>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>Privacy Policy</p> <span class="gdpr-always-active">Required</span> <input type="hidden" name="user_consents[]" value="privacy-policy" style="display:none;">
            </div>
            <div class="gdpr-cookies"> <span>By using this site, you agree to our <a href="https://bobcares.com/privacy-policy/" target="_blank">Privacy Policy</a>.</span> </div>
          </div>
        </div>
      </div>
      <div class="necessary">
        <header>
          <h4>Necessary</h4>
        </header>
        <div class="gdpr-info">
          <p>Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.<br> <br> PHPSESSID - Preserves user
            session state across page requests. <br> <br> gdpr[consent_types] - Used to store user consents. <br> <br> gdpr[allowed_cookies] - Used to store user allowed cookies.<br> </p>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>Cookies Used</p> <span class="gdpr-always-active">Required</span> <input type="hidden" name="approved_cookies[]" value="[&quot;PHPSESSID&quot;,&quot;gdpr[consent_types]&quot;,&quot;gdpr[allowed_cookies]&quot;]">
            </div>
            <div class="gdpr-cookies"> <span>PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>livechat.bobcares.com</p> <a href="https://bobcares.com/privacy-policy/" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>PHPSESSID</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>my.bobcares.com</p> <a href="https://bobcares.com/privacy-policy-cookie-restriction-mode/" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>WHMCSpKDlPzh2chML</span> </div>
          </div>
        </div>
      </div>
      <div class="advertising">
        <header>
          <h4>Statistics</h4>
        </header>
        <div class="gdpr-info">
          <p>Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.<br> <br> _ga - Preserves user session state across page requests.<br> <br> _gat - Used by Google
            Analytics to throttle request rate<br> <br> _gid - Registers a unique ID that is used to generate statistical data on how you use the website.<br> <br> smartlookCookie - Used to collect user device and location information of the site
            visitors to improve the websites User Experience.</p>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>Cookies Used</p> <label class="gdpr-switch"> <input type="checkbox" class="gdpr-cookie-category" data-category="advertising" name="approved_cookies[]" value="[&quot;_ga&quot;,&quot;_gat&quot;,&quot;_gid&quot;]" checked="checked">
                <span class="gdpr-slider round"></span> <span class="gdpr-switch-indicator-on">ON</span> <span class="gdpr-switch-indicator-off">OFF</span> </label>
            </div>
            <div class="gdpr-cookies"> <span>_ga, _gat, _gid</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>google.com</p> <a href="https://tools.google.com/dlpage/gaoptout" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>_ga, _gat, _gid</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>manager.smartlook.com</p> <a href="https://www.smartlook.com/opt-out" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>smartlookCookie</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>clarity.microsoft.com</p>
              <a href="https://learn.microsoft.com/en-us/clarity/faq#how-can-i-prevent-clarity-from-gathering-data-on-my-page-views-when-i-visit-websites-that-use-clarity-" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>_clck, _clsk, CLID, ANONCHK, MR, MUID, SM</span> </div>
          </div>
        </div>
      </div>
      <div class="analytics">
        <header>
          <h4>Marketing</h4>
        </header>
        <div class="gdpr-info">
          <p>Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.<br> <br> IDE -
            Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.<br> <br>
            test_cookie - Used to check if the user's browser supports cookies.<br> <br> 1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.<br> <br> NID - Registers a unique ID that identifies a
            returning user's device. The ID is used for serving ads that are most relevant to the user.<br> <br> DV - Google ad personalisation</p>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>Cookies Used</p> <label class="gdpr-switch"> <input type="checkbox" class="gdpr-cookie-category" data-category="analytics" name="approved_cookies[]"
                  value="[&quot;IDE&quot;,&quot;test_cookie&quot;,&quot;1P_JAR&quot;,&quot;NID&quot;,&quot;DV&quot;,&quot;NID&quot;]" checked="checked"> <span class="gdpr-slider round"></span> <span class="gdpr-switch-indicator-on">ON</span> <span
                  class="gdpr-switch-indicator-off">OFF</span> </label>
            </div>
            <div class="gdpr-cookies"> <span>IDE, test_cookie, 1P_JAR, NID, DV, NID</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>doubleclick.net</p> <a href="https://www.google.com/settings/ads" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>IDE, test_cookie</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>google.co.in</p> <a href="https://www.google.com/settings/ads" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>1P_JAR, NID, DV</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>google.com</p> <a href="https://www.google.com/settings/ads" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>NID</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>olark.com</p> <a href="https://bobcares.com/contact-us/" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>hblid</span> </div>
          </div>
        </div>
      </div>
      <div class="other">
        <header>
          <h4>Security</h4>
        </header>
        <div class="gdpr-info">
          <p>These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.</p>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>Cookies Used</p> <label class="gdpr-switch"> <input type="checkbox" class="gdpr-cookie-category" data-category="other" name="approved_cookies[]"
                  value="[&quot;SID&quot;,&quot;APISID&quot;,&quot;HSID&quot;,&quot;NID&quot;,&quot;PREF&quot;]" checked="checked"> <span class="gdpr-slider round"></span> <span class="gdpr-switch-indicator-on">ON</span> <span
                  class="gdpr-switch-indicator-off">OFF</span> </label>
            </div>
            <div class="gdpr-cookies"> <span>SID, APISID, HSID, NID, PREF</span> </div>
          </div>
          <div class="gdpr-cookies-used">
            <div class="gdpr-cookie-title">
              <p>google.com</p> <a href="https://policies.google.com/privacy?hl=en#infochoices" target="_blank" rel="noreferrer" class="gdpr-button">Opt Out</a>
            </div>
            <div class="gdpr-cookies"> <span>SID, APISID, HSID, NID, PREF</span> </div>
          </div>
        </div>
      </div>
    </div> <input type="hidden" name="all_cookies"
      value="[&quot;PHPSESSID&quot;,&quot;gdpr[consent_types]&quot;,&quot;gdpr[allowed_cookies]&quot;,&quot;_ga&quot;,&quot;_gat&quot;,&quot;_gid&quot;,&quot;IDE&quot;,&quot;test_cookie&quot;,&quot;1P_JAR&quot;,&quot;NID&quot;,&quot;DV&quot;,&quot;NID&quot;,&quot;SID&quot;,&quot;APISID&quot;,&quot;HSID&quot;,&quot;NID&quot;,&quot;PREF&quot;]">
  </div>
  <footer> <input type="submit" value="Save Preferences"> </footer>
</form>

Text Content

URGENT SUPPORT
NONURGENT SUPPORT

wesupport

CLIENT AREA
1-800-383-5193
* Server Management
* Overview
* Features
* Pricing
* Data Migration Service
* Vulnerability Scan Service
* Why Bobcares
* For Service Providers
* Overview
* Features
* Price Calculator
* All In One Support New Plan
* Phone Support
* Shared Support
* Dedicated Support
* Why Outsource Support
* For Businesses
* Build Your Own Support
* Software Development
* WordPress
* WHMCS
* Magento
* Drupal
* Mobile Apps
* Industries
* Web Hosting
* Cloud Hosting
* VPS Hosting
* Data Center
* SaaS
* VPN
* Digital Agency
* ISP
* CDN
* Platforms
* Cloud Support
* Azure
* AWS
* DigitalOcean
* DigitalOcean Managed Servers
* DigitalOcean Managed Service
* Google Cloud Platform
* Vultr
* Linode
* OnApp
* Servers
* Linux Servers
* Windows Servers
* Web Servers
* Apache
* OVHCloud
* NGINX
* LiteSpeed
* Webhosting Control
Panels
* cPanel & WHM
* cPanel Migration
* Plesk
* DirectAdmin
* Virtualmin
* Cyberpanel
* Virtualization
* oVirt
* HyperV
* KVM
* Docker
* SolusVM
* OpenVZ
* Virtualizor
* Citrix XenServer
* VMware vSphere
* Proxmox VE
* Applications
* WordPress
* WooCommerce
* Joomla!
* Magento
* Drupal
* DotNetNuke
* Databases
* MySQL
* PostgreSQL
* MS SQL Server

Need help?

Our experts have had an average response time of 9.99 minutes in Feb 2023 to fix
urgent issues.
GET HELP RIGHT NOW

We will keep your servers stable, secure, and fast at all times for one fixed
price.

SEE SUPPORT PLANS

SWEET32 BIRTHDAY ATTACK : HOW TO FIX TLS VULNERABILITY (CVE-2016-2183) IN
OPENSSL, APACHE, NGINX AND IIS IN REDHAT, CENTOS, UBUNTU, DEBIAN, OPENSUSE AND
WINDOWS

by Reeshma Mathews | Aug 26, 2016

Over 80% websites in the internet are vulnerable to hacks and attacks. In our
role as hosting support engineers for web hosts, we perform periodic security
scans and updates in servers to protect them from hacks.

A recent bug that affects the servers is the SWEET32 vulnerability. By
exploiting a weak cipher ‘3DES-CBC’ in TLS encryption, this bug has caused many
server owners to panic about their data security.

If you see that your website is failing security scans with this message, that
means your server is vulnerable to SWEET32 attacks.

> “SSL/TLS server supports short block sizes (SWEET32 attack)”

See how we secure your servers!

WHAT IS SWEET32 BIRTHDAY ATTACK?

By default, servers have ‘3DES-CBC’ cipher enabled in TLS. This makes HTTPS
connections in those servers vulnerable to this SWEET32 bug.

Hackers can then easily decrypt your valuable data using a method called
Birthday Attack. Here’s how it works:

The web server encrypts data using cryptographic keys. These keys are chosen
randomly, and the probability of any two customers getting the same key is very
low.

By misusing the SWEET32 vulnerability, an attacker can send in large volume of
dummy data, and get blocks of cipher text that matches that of a customer.

To break it down:

1. The attacker sniffs all data sent to your customer.
2. Attacker sends dummy data to your server until a key used for a customer
matches the attacker’s session key.
3. Once there’s a match, sensitive data can be decrypted by determining how the
key was chosen.

ARE YOUR SERVERS VULNERABLE TO SWEET32 ATTACK?

OpenSSL protocol uses the vulnerable ‘Triple-DES’ ciphers for encrypting the
data. So if your web servers such as Apache, NginX, etc. uses OpenSSL with the
vulnerable ‘Triple-DES’ cipher support, your server is susceptible to attack.

If your servers are running OpenSSL versions prior to 1.0.1, which cannot
support strong ciphers, your servers are already vulnerable to many other
attacks too, such as CCS Injection Vulnerability.

The first thing we do, is check the version of OpenSSL server:

root@host ~ $ openssl version
OpenSSL 1.0.1f 6 Jan 2014

To examine the ciphers that are enabled in the OpenSSL server, we use the ‘nmap’
command. The code ‘3DES’ indicate cipher suites that use triple DES encryption.
These are the ones we disable for server security.

HOW TO FIX SWEET32 VULNERABILITY

To secure the confidential information from this critical SWEET32 birthday
attack vulnerability, we disable all 64-bit block weak ciphers. For enhanced
security, we allow only strong ciphers such as AES.

Though OpenSSL has disabled support for weak ciphers from version 1.1.0 release
onwards, we’ve seen many servers still running older versions that are
vulnerable.

For the servers that we manage, our expert technicians keep all server software
updated, to protect them from attacks. If your servers are running vulnerable
versions, you should disable these weak ciphers without delay.

[ Don’t wait for an attack to strike. Secure your servers right now! Our world
class server security specialists are here to protect your servers. ]

HOW WE SECURE APACHE AND NGINX WEB SERVERS FROM SWEET32 BUG

In servers that are running Apache web server, here is how we secure them:

1. Edit the Apache SSL configuration file at ‘
/etc/apache2/mods-available/ssl.conf ‘
2. Go to the SSL section and ensure that old protocols such as SSLv2 and SSLv3
are disabled.
3. Go to the CIPHER text section and update the entry with the relevant
‘SSLCipherSuite’.
4. Restart the Apache web server.

In servers with NginX web server, we do these steps:

1. Edit the Nginx configuration file ‘/etc/nginx/nginx.conf’.
2. Go to the SSL section, set the secure protocols and update the Cipher text
with the relevant ‘ciphers’ list.
3. Restart the web server after saving the new settings.

HOW TO FIX SWEET32 BUG IN REDHAT AND CENTOS SERVERS

RedHat and CentOS servers use their own OpenSSL package, which is updated from
their repository using ‘yum’ command. But RHEL/CentOS 5,6,7 versions use
vulnerable OpenSSL packages.

To know the version of OpenSSL package in the server, we execute the command:

root@host ~ $ rpm -qa | grep openssl
openssl-0.9.8e-20.el5_7.1

To immediately mitigate the attack until the new OpenSSL secure package is made
available in RedHat and CentOS repositories, we disable the weak ciphers in the
services that use SSL.

The services we update with strong ciphers include web servers such as Apache
and NginX, mail servers such as Exim, POP/IMAP server, FTP server, etc.

FIXING SWEET32 VULNERABILITY IN DEBIAN AND UBUNTU SERVERS

Ubuntu has different versions and the OpenSSL packages available in them are:

Ubuntu 15.10:libssl1.0.0 1.0.2d-0ubuntu1.2
Ubuntu 15.04:libssl1.0.0 1.0.1f-1ubuntu11.5
Ubuntu 14.04 LTS:libssl1.0.0 1.0.1f-1ubuntu2.16
Ubuntu 12.04 LTS:libssl1.0.0 1.0.1-4ubuntu5.32

To check the version of OpenSSL package in the server, we use the command:

dpkg -s openssl

If it is running older vulnerable versions, we update the OpenSSL package to the
latest supported version.

The latest secure OpenSSL version is not yet available in these packages. So, as
an immediate mitigation, we disable the weak ciphers in all public services with
OpenSSL support.

SECURING YOUR OPENSUSE SERVERS FROM SWEET32 BUG

In OpenSUSE, the ‘zypper’ tool helps us to update and install the latest OpenSSL
packages in the server.

We use this command to update your Suse server:

# zypper in -t patch secsp3-openssl1-12539=1

To mitigate the SWEET32 vulnerability, we disable the 3DES and other weak
ciphers from all the public SSL based services.

HOW TO PROTECT YOUR IIS WEBSERVER FROM SWEET32 BUG

To disable weak ciphers in Windows IIS web server, we edit the Registry
corresponding to it. Here is how to do that:

1. Click Start, click Run, type ‘regedit’ in the Open box, and then click OK.
2. Locate the following security registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

3. Go to the ‘SCHANNEL\Ciphers subkey’, which is used to control the ciphers
such as DES and RC4.

4. Edit the subkey ‘SCHANNEL\Ciphers\Triple DES 168’ and set the DWORD value
data to 0x0.

Registry edits are done very carefully, as any mistake can cause the server to
become non-functional. Server restarts maybe required for the updates to come
into effect.

[ Secure your server now and avoid a catastrophe! Our 24/7 expert technicians
are here to safeguard your servers from an attack. ]

The steps to restrict the ciphers and edit registry can vary with the Windows
version in your server. It is therefore recommended to do it only with expert
assistance.

At Bobcares, our security experts are specialized in securing the servers of our
customers. By taking proper backups of the registry and other relevant config,
we ensure that the servers do not get messed up.

IN SHORT..

SWEET32 is a vulnerability in 3DES-CBC ciphers, which is used in most popular
web servers. Today we’ve seen how we fix it in popular operating systems and web
servers.

Older operating systems such as Windows XP use 3DES-CBC to establish
connections. Researchers have shown that these connections can be easily
decrypted.

Bobcares helps online businesses of all sizes achieve world-class security and
uptime, using tried and tested solutions. If you’d like to know how to make your
server more reliable, we’d be happy to talk to you.

YOUR SERVER COULD BE UNDER THREAT!

Don't panic! We will secure your sites from SWEET32 attacks promptly.

CLICK NOW TO PROTECT YOUR SERVER

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

23 COMMENTS

1. Tim on 2016-11-01 at 23:42

I made the regedit change to stop the IIS attack, then rescanned the server
with Trustwave and it is still coming up as vulnerable. Any suggestions?

Reply
* Reeshma on 2016-11-04 at 08:58

Tim,

The registry edits and restricting the ciphers can vary with the Windows
version you’re running in your server. Please feel free to contact our
24/7 support team here – https://bobcares.com/contact-us/ – for further
assistance.

Reply
2. Morningstar on 2016-11-03 at 20:21

You need to add the registry dword ‘Enabled’ and set it to 0. So the full
path for disabling in IIS is
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple
DES 168”

new dword Enabled = 0

Reply
* Reeshma on 2016-11-04 at 09:28

Hi,

The cipher setting varies with the Windows version in the server. In
earlier versions, if you do not configure the Enabled value, the default
is enabled. This setting is to disable that Triple DES cipher. If it is
not enabled, then no need to worry.

Reply
3. Jason on 2016-11-03 at 23:58

I use plesk 12.5 and have already used their recommendations for PCI
compliance, which includes updating the cipher text as you mentioned.
However, their cipher text is much longer that the one that you have
suggested,
“EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES”.
I am hesitant to change this for your much shorter cipher text. I found
that merely adding, “:!3DES”, to the end of my cipher text, it removed all
of the 3DES ciphers. This seems sufficient, but I thought I would get your
thoughts on the matter.

Reply
* Reeshma on 2016-11-04 at 09:14

Jason,

Since SWEET32 is based on 3DES vulnerability, the key intention behind
this article is on how to avoid using that cipher in your servers. AES
cipher is considered a strong cipher as of now and it comes in 128 and
256 bit combinations. You can enable as many strong ciphers as you would
like your server to support.

Reply
4. Bruno on 2016-11-30 at 02:40

Making this registry change to remediate the vulnerability break RDP. No
more remote desktop when applied!
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple
DES 168”
new dword Enabled = 0

Reply
* Reeshma Mathews on 2016-12-02 at 10:54

Bruno,

You may have to update RDP packages to support the latest versions of
TLS. Please feel free to contact our 24/7 support team here –
https://bobcares.com/contact-us/ – for further assistance.

Reply
5. Coder Not Admin on 2016-12-06 at 04:05

Hey, Bob. Just wanted to say that this information helped me pass my
TrustKeeper compliance test. Good stuff!

Reply
* Reeshma on 2016-12-06 at 09:12

Thank you, happy to know that 🙂

Reply
6. freakerzoid on 2016-12-14 at 12:28

I have 3 servers that are currently affected:
– Windows Server 2012R2
– Windows Server 2008R2
– Windows Server 2008

After editing the registry changes, do I need to reboot the servers for the
changes to take effect

Reply
* Reeshma on 2016-12-14 at 14:14

Server restart is not required for the cipher key changes to come into
effect, but maybe required for protocol key changes. However, as
mentioned, you need to be very careful while editing the registry. Please
feel free to contact our 24/7 support team here –
https://bobcares.com/contact-us/ – for further assistance.

Reply
* freakerzoid on 2016-12-15 at 13:02

I have encountered some issue. I have a Windows Server 2008R2 server
has been detected with this Sweet32 Vulnerability.

The following is the registry configuration.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
128/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
56/128]
“Enabled”=dword:00000000

So for this Scenario, How will I be able to disable 3DES Cipher ?
Kindly advise ?

Reply
* Reeshma on 2016-12-15 at 15:36

Hi,

To disable the 128-bit weak cipher, edit the value in
‘SCHANNEL\Ciphers\RC4 128/128 subkey’ and change the DWORD value data
to 0x0. Repeat this for all such entries related to weak ciphers.

Reply
* freakerzoid on 2016-12-16 at 14:46

But isn’t that for Disabling RC4 Cipher Suite ?

And these 3 are already disabled.

What I mean is I am unable to find this registry below from W2K8
and W2K8R2 Servers.

\SCHANNEL\Ciphers\Triple DES 168

How could I resolve this issue ?

* Reeshma on 2016-12-16 at 15:07

Hi,

For keys that are not being listed, you may have to manually add
the cipher keys and disable them, as the default value is
‘Enabled’. Please feel free to contact our 24/7 support team here –
https://bobcares.com/contact-us/ – for any further assistance.
7. Jake on 2016-12-14 at 22:34

Planning on making this change, but would like to know if it will break
Microsoft Exchange Server / mail Flow??

Reply
* Reeshma on 2016-12-15 at 09:26

Jake,

It would depend on the Exchange server you’re running on. SMTP support
for TLS 1.1 and 1.2 were added in Exchange Server 2013 CU8 and Exchange
Server 2010 SP3 RU9. So, if you update the ciphers and TLS versions, you
may need to apply an update for the SMTP service or else mails may stop
working.

Please feel free to contact our 24/7 support team here –
https://bobcares.com/contact-us/ – for a detailed investigation and
further assistance.

Reply
8. Renuka Rathore on 2017-09-04 at 12:45

Dear Team,

We are using RHEL5 and wanted to get away with Sweet32 Vulnerability. For
which we are trying to upgrade the openssl package from 1.0.1u to 1.1.0f.
But we are facing lot of issues. Could you please suggest an alternate.

Reply
* Reeshma on 2017-09-04 at 14:03

Hi Renuka,

It would require a check of your server software version and its
dependencies, please contact our server experts at
https://bobcares.com/server-administration-service/ , and they will
secure your server from sweet32 bug.

Reply
9. Chaerulbachri on 2019-07-01 at 14:46

Hai,

I have Linux Readheat server, with Weblogic service. please how to solved
the 3DES and RSA

thanks

Reply
10. Yoonz on 2021-04-01 at 00:26

Hello, I’m getting this vulnerability on my Windows Server 2012 R2 vSphere
server. I tried looking through regedit, but my …/SCHANNEL/Ciphers/ folder
only has (Default). Am I missing something or is there somewhere else to
fix this vulnerability?

Reply
* Arya MA on 2021-04-23 at 10:18

Hi there,

We would require to have a closer look at the server software version and
its dependencies. If you still find problems, we’ll be happy to talk to
you on chat (click on the icon at right-bottom).

SUBMIT A COMMENT CANCEL REPLY

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Submit Comment

Search for:

SPEND TIME ON YOUR BUSINESS, NOT ON YOUR SERVERS.

TALK TO US

Or click here to learn more.