vulnerability Archives

Finding: SWEET32 (CVE-2016-2183)

The SWEET32 vulnerability affects SSL/TLS protocols that use 64-bit block ciphers, specifically 3DES (Triple DES) and IDEA. These ciphers are susceptible to birthday attacks when large volumes of data are transmitted over a persistent connection, potentially allowing an attacker to recover parts of plaintext traffic. IIS servers with 3DES enabled are affected.

Remediation for IIS on Windows Server 2019

Windows Server 2019 supports TLS 1.2 and 1.3 by default, along with modern AES-based cipher suites. However, 3DES may still be enabled for legacy compatibility and must be disabled to fully remediate SWEET32.

Step 1: Disable 3DES via the Windows Registry

Navigate to the following registry key and create or set the value as below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168\n\nSet the DWORD value ‘Enabled’ to 0.

Alternatively, create a .reg file with the following content and import it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
“Enabled”=dword:00000000

A system reboot is required for changes to take effect.

Step 2: (Optional) Use IIS Crypto Tool

To simplify cipher and protocol management, use the free Nartac IIS Crypto tool:
• Download from https://www.nartac.com/Products/IISCrypto
• Run the tool on the server
• Select the ‘Best Practices’ template
• Ensure 3DES and TLS 1.0/1.1 are disabled
• Apply the changes and reboot the server

Step 3: Verify Remediation and Confirm SWEET32 Is No Longer Present

After applying the remediation steps and rebooting the server, verify that the SWEET32 vulnerability has been resolved. Use one of the following tools to confirm that 3DES is no longer supported:

SSL Labs Server Test (recommended for public-facing servers):
Visit https://www.ssllabs.com/ssltest/ and enter the domain name of the affected server.
Review the results to ensure 3DES is not listed among the supported cipher suites.
Nmap (quick CLI-based check):
Run the following command:
nmap –script ssl-enum-ciphers -p 443 [hostname or IP]
Look for 3DES or other 64-bit ciphers in the output.
testssl.sh (thorough internal scan):
Run the following command:
testssl.sh –vulnerable –cipher-per-proto –html customerDomain.com
This generates an HTML report showing all supported ciphers and any related vulnerabilities, including SWEET32.

Description of the vulnerability per NIST:

“Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library.”

This vulnerability was intentionally induced by a supply chain attack. Starting in 2021, a suspected Threat Actor started to submit patches to open-source project on GITHUB, eventually focusing on the XZ Utils repository and becoming a co-developer. A fuller timeline of events can be found here. The backdoor/vulnerability was fully introduced in versions 5.6.0 and 5.6.1 of xz utils in February. Most production Linux distributions have not adopted these patches, but please check the following section to confirm that no affected versions are present in your environment.

Affected & Fixed Versions

Recommendations and Mitigations

SecurIT360 Managed SOC Clients:

For all active managed SOC EDR clients, we have checked our inventory across products and have already reached out if you have an affected Linux distribution.
For all active managed SOC MDR clients, we have also run an external Nessus vulnerability scan looking for affected versions and have again already reached out to any and all affected clients.

Otherwise, if you have any Linux endpoint that we do not monitor that you are concerned may be affected by this vulnerability, you can run a simple command of “xz –version” or “xz ultis –version” on these endpoints to confirm your versioning on the endpoint in question:

If any of your endpoints do presently use 5.6.0 and 5.6.1 of XZ Utils, we would recommend either updating or downgrading packages per the table above. For the case of Fedora 40-41 and Rawhide specifically the recommendation from Red Hat would be to power-down or stop using Rawhide for the time being, and to move to packages 5.4.X for Fedora 40-41. See Red Hat’s blog post on the subject for more information.

Resources & Related Articles

https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/Feedly CVE-2024-2615 (Affected Version Table)
https://nvd.nist.gov/vuln/detail/CVE-2024-3094 (NIST CVE)
https://boehs.org/node/everything-i-know-about-the-xz-backdoor (Timeline on GITHUB Activity)
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users (Update for Fedora 40 and Fedora Rawhide Users)

Our Office

Industries

Company

Help