Environment
- EDR (formerly CB Response) Server: 6.0.1 and Higher
- Vulnerability Scanner
Symptoms
Nessus scanner detects only a medium strength cipher available on the TLS 1.2 protocol.
Cause
Security is stronger if weak and medium strength ciphers are not available.
Resolution
- Log onto the EDR primary node via SSH
- Modify the line "ssl_ciphers" in /etc/cb/nginx/conf.d/includes/cb.server.body or /etc/cb/nginx/conf.d/includes/cb.server.base_body (6.3.0 and above) to contain the following (adding !3DES)
ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL:!DES:!3DES;
- Restart nginx
- For EDR Server 7.3 and lower
- For EDR Server 7.4 and higher in CentOS/RHEL 7 and 8 environments
Additional Notes
- Sensors + Console UI traffic will remain functional throughout the procedure.
- Some vulnerability scanners may refer to this as "Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)", or CVE-2016-2183