• Services
  • Blog
  • Knowledge Base
  • Contact
our services
  • Application Penetration Testing

    • Username Enumeration
    • iOS Frida Objection Pentesting Cheat Sheet
    • URL Redirection – Attack and Defense
    • Jailbreaking iOS 13 with unc0ver
    • X-Runtime Header Timing Attacks
    • wkhtmltopdf File Inclusion Vulnerability
    • API Mass Assignment Vulnerability
    • Web Server TRACE Enabled
  • AWS Pentesting

    • Protecting S3 buckets using IAM and KMS
    • Misconfigured S3 Bucket
    • S3 Storage Does Not Require Authentication
  • DevOps Security

    • Securing Travis CI
  • Encryption

    • TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability
    • OpenSSL ‘ChangeCipherSpec’ (CCS) MiTM Vulnerability
    • Null Ciphers Supported
    • ‘Export Ciphers’ Enabled
  • Network Penetration Testing

    • .NET Handler Enumeration
    • TLS_FALLBACK_SCSV Not Supported
    • PHP Easter Eggs Enabled
    • MySQL Multiple Vulnerabilities
    • Debian Predictable Random Number Generator Weakness
    • Cisco IKE Fragmentation Vulnerability
  • Pentesting Fundamentals

    • Essential Wireshark Skills for Pentesting
    • Testing Cookie Based Session Management
  • Windows Hardening

    • Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020)
Network Penetration Testing

TLS_FALLBACK_SCSV Not Supported

our services

A TLS service was found not support the TLS_FALLBACK_SCSV cipher suite value. This cipher value was implemented by OpenSSL to protect against inappropriate downgrades to weaker encryption protocols such as TLSv1.0 and SSLv3.

  • For servers which do not support weak SSL/TLS protocols, there is no practical value added by adding support for this feature.
  • For servers which do support weak SSL/TLS protocols, this feature is not an effective replacement for disabling these weak protocols.

Active Downgrade Attacks

Attackers with network level access between client and server applications have been known to attempt downgrade attacks; where the malicious actor forces a client to negotiate to a weaker or known vulnerable encryption scheme. This encrypted session can then be later broken or decrypted by the malicious actor.

Signaling Cipher Suite Value (SCSV) Mitigation

To help mitigate unwanted or malicious downgrade attacks, a new cipher suite value was created:

TLS_FALLBACK_SCSV          {0x56, 0x00}

This cipher suite is not a valid crypto system, however serves as a flag to clients when the current protocol is not the server’s highest strength protocol. This system is a backwards compatible way to cause a fatal error with existing downgrade protocols and mitigate downgrade attacks.

References:

https://tools.ietf.org/html/rfc7507
https://www.openssl.org/news/secadv/20141015.txt

Remediation

For most server configurations TLS_FALLBACK_SCSV support can be implemented by updating OpenSSL:

  • OpenSSL 1.0.1 users should upgrade to 1.0.1j
  • OpenSSL 1.0.0 users should upgrade to 1.0.0o
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zc

We are not aware of IIS or Microsoft support at the time of this writing.

← Testing Cookie Based Session Management
Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020) →
  • Services
  • Blog
  • Knowledge Base
  • Contact
Looking for a better
penetration test?

Make an appointment with an expert today

    Request a meeting invite? (EDT)

    Contact ASAP3:00 PM Today4:00 PM Today1:00 PM Tomorrow3:00 PM TomorrowOther / Just Send Info