Fix Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

on

Below steps will also close  "SSL RC4 Cipher Suites Supported (Bar Mitzvah)" including SWEET32



What is SWEET32 Birthday Attack (CVE-2016-2183?


By default, servers have ‘3DES-CBC’ cipher enabled in TLS. This makes HTTPS connections in those servers vulnerable to this SWEET32 bug.


Hackers can then easily decrypt your valuable data using a method called Birthday Attack. Here’s how it works:


The web server encrypts data using cryptographic keys. These keys are chosen randomly, and the probability of any two customers getting the same key is very low.


By misusing the SWEET32 vulnerability, an attacker can send in large volume of dummy data, and get blocks of cipher text that matches that of a customer.



The attacker sniffs all data sent to your customer.


Attacker sends dummy data to your server until a key used for a customer matches the attacker’s session key.


Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.





How To Fix (Solution) : 

Before making any changes please take complete registry backup.

If this is a Virtual machine then take a snapshot/vmdk backup so incase if there is any issue post changes you can easily revert to previous stage without making so many changes.

Download IIS Crypto GUI latest version from below link

Click here to download IIS Crypto GUI


Run the tool


You will get this screen.
Now you can see everything is enabled, if you don't know what need to be disabled then simply click on Best Practice button and then you will get below screen.

As of now TLS 1.0 & TLS 1.1 is also vulnerable so you can uncheck those as well



Once done click on apply and reboot your system.

Once system is up please check all of your server facing application, if getting any issue then you can enable TLS 1.1 and click apply then reboot the server, post if still not work then you can enable TLS 1.0 as well and click apply then check.

If still not work then you can import the registry which you backed up before madding any changes then reboot and check.

If after disabling the TLS 1.0 & TLS 1.1 application or any customized application is not working then get in touch with your developer team or OEM to first update the software/application then do the same. 




If you enjoyed this article, follow and share it with your friends and colleagues!!!!!!!!!!! 👍


Posted By : Kamlesh Gaur







Comments

Post a Comment