False negative: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

Name: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

For some reason, the above mentioned VT is not reporting any vulnerabilities anymore, when 3DES/DES ciphers is used.
An example is that the SSL/TLS: Report Supported Cipher Suites reports the following ciphers on SSLv3:


I would have expected the SSL/TLS: Report Vulnerable Cipher Suites for HTTPS VT to be triggered as vulnerable, because of the highlighted ciphers (and quite a few others).
The example is the output from a scan of https://zero.webappsecurity.com/ which is very vulnerable.

Am I misunderstanding something or should’nt the mentioned VT have triggered?

I have tested using GSE v 22.4.0 - NVT feed 20220822T1012.

Thanks a lot for your posting.

Based on my tests with the current supported GVM / GOS versions 21.04 and 22.04 both running a current feed version (there haven’t been any functional change to this VT since nearly a year) this seems to work as expected in GOS 21.04 but the report is indeed missing in GOS 22.04 for unknown reasons.

As there haven’t been any changes on VT side i would suggest one of the following:

  1. Creating a new topic in Greenbone Community Edition - Greenbone Community Portal for some debugging help from GVM side
  2. Directly create an issue at Issues · greenbone/openvas-scanner · GitHub for making the responsible team working on this component aware of a possible problem

Greenbone OS 21.04.12

Greenbone OS 22.04.1

No result found.

1 Like

Thank you for your help and for replicating the issue in GOS.
I have reposted the issue in the GCE section and hope they can help finding the issue.