SSL/TLS Forward Secrecy Cipher Suites Not Supported

medium Web App Scanning Plugin ID 98617

Language:

Synopsis

SSL/TLS Forward Secrecy Cipher Suites Not Supported

Description

The remote host use at least one SSL/TLS ciphers that does not offer forward secrecy (FS) also known as perfect forward secrecy (PFS). It's a feature that provides assurances the session keys will not be compromised even if the server’s private key is compromised.

Solution

Reconfigure the server to disable cipher suites without forward secrecy and retain only cipher suites that provide forward secrecy (ECDHE or DHE based cipher suites).

See Also

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Plugin Details

Severity: Medium

ID: 98617

Type: remote

Family: SSL/TLS

Published: 6/12/2019

Updated: 11/10/2022

Scan Template: api, basic, config_audit, full, pci, quick, scan, ssl_tls

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L

CVSS Score Source: Tenable

Reference Information

CWE: 327

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A2

WASC: Insufficient Transport Layer Protection

CAPEC: 20, 459, 473, 475, 608, 614, 97

DISA STIG: APSC-DV-002440

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.10.1.2

NIST: sp800_53-SC-12

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-9.1.2

PCI-DSS: 3.2-6.5.3, 3.2-6.5.4