OpenVAS vulnerability (SWEET32)

Hello. We’re new to running GSA on Ubuntu 18.04 LTS. Part of our monthly routine is to scan all machines that run in a server capacity. When scanning the OpenVAS host itself, it’s reporting the server has a vulnerability found on the GSA web port:

2.1.2 High 4000/tcp
High (CVSS: 5.0)
NVT: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
Summary
This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists
only on HTTPS services.
Vulnerability Detection Result
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
Solution
. . . continues on next page . . .
2 RESULTS PER HOST 4
. . . continued from previous page . . .
Solution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed cipher
suites anymore.
Please see the references for more resources supporting you with this task.
Affected Software/OS
Services accepting vulnerable SSL/TLS cipher suites via HTTPS.
Vulnerability Insight
These rules are applied for the evaluation of the vulnerable cipher suites:

  • 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
    Vulnerability Detection Method
    Details: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
    OID:1.3.6.1.4.1.25623.1.0.108031
    Version used: $Revision: 5232 $
    References
    CVE: CVE-2016-2183, CVE-2016-6329

Can someone please provide me with instructions on how to resolve it? I didn’t find anything on a few Google searches. Thanks!

That is not a GVM port or used for any GVM Parts. Please contact your packet vendor and try to get support there. Please note uncoordinated 3rd Party packets are not supported here.

I apologize but your reply doesn’t make any sense to me. What packet vendor? Your product scanned itself and found this vulnerability as the result of scanning GSA’s web server port. It’s the default web port for GSA and it has always been port 4000.

We do not build any packets for Ubuntu, the only supported installation is always Greenbone OS based even the GCE. All our Appliances that include GVM are supported as well.

The port 4000 is not used by us or any of our appliances or any Greenbone OS installations. If you compile it your self, you have to fix it your self. If you use a package please get back to the packet maintainer.

The default port of the GSA is either 443 or 9392 (depending on the permissions of the user running the gsad daemon or the availability on the 443 port) as described in https://github.com/greenbone/gsa/#usage

If this is really a GSA (your package/installation provider might have changed the default port) then please have a look at the description in the thread linked below on how to overwrite the global/system-wide configured cipher suites and TLS version of GnuTLS to a (currently) more secure one from within the gsad daemon.

I’m closing this thread as a duplicate of the linked below to avoid that the same topic is spread over various threads. Please let me know if you want to add an additional note/remark in this thread and i could temporarily re-open it for this.

If you have further questions on the cipher topic please follow up in this thread: