Questions about NVT SSL/TLS: Report Weak Cipher Suites

Hi, I performed a Full and Fast scan on Openvas and the NVT
SSL/TLS: Report Supported Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.802067). This NVT works with the CVEs: CVE-2013-2566, CVE-2015-2808 and CVE-2015-4000 performing cipher verification: This routine reports all Weak SSL/TLS cipher suites accepted by a service.

In a test run, the following output was obtained:

'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_SEED_CBC_SHA

In the NVT description, it is mentioned about the RC4 cipher that is related to the CVEs: CVE-2013-2566 and CVE-2015-2808. However, RC4 does not appear in the NVT result on the target machine. Why then were these CVEs reported when the RC4 cipher is not present?

The VT in question (the OID is actually 1.3.6.1.4.1.25623.1.0.103440, not 1.3.6.1.4.1.25623.1.0.802067) is checking and reporting a huge amount of weak ciphers (Definition can be found in the gb_ssl_tls_ciphers.inc file on the file system of the scanner) and for a handful of these CVEs are assigned (namely CVE-2013-2566 and CVE-2015-2808 for RC4 and CVE-2015-4000 for 64 bit ciphers).

As this VT can detect these CVEs they have been assigned / included within it accordingly.

But if the VT is reporting a cipher as “weak” it doesn’t necessarily mean that the system in question is affected by all CVEs included, which CVE applies (if at all) can be derived from ciphers / cipher names included in the reporting.