Anonymous Cipher for TLS V1.0

Achutt · May 5, 2022, 7:45am

SSL/TLS: Report Supported Cipher Suites (1.3.6.1.4.1.25623.1.0.802067) reports that
:No ‘Anonymous’ cipher suites accepted by this service via the TLSv1.0 protocol.

SSL/TLS: Report ‘Anonymous’ Cipher Suites reports that (1.3.6.1.4.1.25623.1.0.108147) :
‘Anonymous’ cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

Why does this happen ??

cfi · May 5, 2022, 10:57am

The system in question is providing / offering this known to weak / vulnerable cipher suite to systems connecting to it.

Info how to mitigate this vulnerability is given in the solution part of the VT.

Achutt · May 5, 2022, 1:22pm

Then why do two different VTs give different results wherein one says that it doesn’t accept anonymous ciphers and the other says it does anonymous Ciphers?

cfi · May 5, 2022, 1:48pm

Oh, sorry. I understood that you are asking why the Anonymous cipher suites are showing up at all but missed that you are asking for the difference in the output of both mentioned VTs.

Unfortunately i’m not able to answer this question due to the lack of knowledge on this code base responsible for reporting these things.

cfi · May 5, 2022, 2:49pm

Unfortunately i’m also not able to reproduce this (see the output below) when testing against an OpenSSL server providing such Anonymous ciphers via:

openssl s_server -tls1 -cipher "ALL:@SECLEVEL=0" -state -accept 127.0.0.1:4443 -nocert -msg

Please make sure that you are:

running a current and supported version of GVM and all of its components (21.04.4 is the current and only supported version)
using a current / up2 date feed
comparing the results for the very same system and/or port (e.g. one result could originating from port 443 while the other is coming from 8443)

Output of SSL/TLS: Report Supported Cipher Suites (1.3.6.1.4.1.25623.1.0.802067):

'Strong' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DH_anon_WITH_AES_256_CBC_SHA

'Medium' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA

No 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol.

No 'Null' cipher suites accepted by this service via the TLSv1.0 protocol.

'Anonymous' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Output of VT SSL/TLS: Report ‘Anonymous’ Cipher Suites reports that (1.3.6.1.4.1.25623.1.0.108147):

'Anonymous' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA