TLS Version 1.0 Protocol Detection

The TLS Version 1.0 Protocol Detection vulnerability is a security flaw in the TLS 1.0 protocol that allows an attacker to downgrade a secure connection to an insecure one. This can be done by sending a specially crafted message that the server will interpret as a request for TLS 1.0. Once the connection is downgraded, the attacker can exploit other vulnerabilities in TLS 1.0 to steal sensitive data or take control of the system.

Here are some of the attacks that can be exploited by the TLS Version 1.0 Protocol Detection vulnerability:

• POODLE (Padding Oracle On Downgraded Legacy Encryption)
• BEAST (Browser Exploit Against SSL/TLS)
• CRIME (Compression Ratio Info-leak Made Easy)
• FREAK (Factoring Attack on RSA-EXPORT Keys)
• LOGJAM (Diffie-Hellman Key Exchange Weakness)

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

How does it happen..?

If a server supports the use of medium-strength ciphers, then an attacker could potentially exploit this vulnerability to break the encryption and gain access to sensitive data. This could include passwords, credit card numbers, or other personal information.

Mitigation...

We will offer two approaches to address this vulnerability, and you can select the method that aligns with your specific environmentIf you employ a self-managed hosting solution with a Linux server, Method 1 is applicable. similarly, if you utilize hosting services provided by a service provider, Method 2 is suitable.

Method 1: On the Server side

You are required to configure your server to use strong ciphers. You can achieve this by making changes to the configuration file of the server.

• Locate your server config file

The location of the server config file depends on the web server software you are using.
Here are some examples of where you can find the server config file for some popular server software.

Apache: /etc/apache2/apache2.conf
Nginx: /etc/nginx/nginx.conf

• Identify strong ciphers 

You need to identify strong and recommended ciphers according to the software your server uses. Most providers of web server software offer official documentation to assist in configuring and enabling strong encryption ciphers.

Apache:https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

Alternatively, you have the option to use the Mozilla SSL Generator, which provides a recommended, standardized SSL configuration based on your particular web server version.

You have the option to input information about your server software and environment into the portal. In response, the portal will furnish you with a sample configuration file that aligns with the details you've provided

We will use the Apache configuration file generated by the Mozilla SSL generator for the remaining setup.

 

# generated 2023-08-22, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.7

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateKeyFile   /path/to/private_key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

The text highlighted in yellow color is the recommended strong ciphers by Mozilla.

You can copy this content and insert it into your configuration file as in the sample file. 

Then restart the Apache service to apply the changes.

Note:
Do not replace your existing web server configuration file with the sample file produced by Mozilla. Retrieve the necessary information from the sample file and use it appropriately.

Method 2: from cPanel and WHM

Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. The following section lists the interfaces and options in cPanel & WHM that allow you to configure the protocol and cipher lists for services that use OpenSSL.

If you find that you only have access to the cPanel, you should reach out to your hosting service provider and request them to enhance your default web service configuration with strong ciphers. You can guide the hosting service administrator by suggesting the steps below. However, if you have access to the WHM, you can proceed with the following modifications.

Go to  WHM ➝ Home ➝ Service Configuration ➝ cPanel Web Services Configuration

Replace TLS/SSL Cipher List with recommended and strong ciphers and then save the changes.
(If you have a list of medium-strength ciphers, you can exclude them from this list. There's no need to replace the default ciphers)

REFERENCES

[1] https://www.tenable.com/plugins/nessus/42873

[2] https://www.papercut.com/kb/Main/SSLCipherConfiguration/

[3] https://docs.cpanel.net/knowledge-base/security/how-to-update-ciphers-and-tls-protocols/

[4] https://ssl-config.mozilla.org/

Ransomware attacks have grown up exponentially amid COVID-19, as cybercriminals take advantage of the new work-from-home world and target vulnerable industries and populations.

Ransomware penetrates an organization’s IT infrastructure through phishing emails or endpoint vulnerabilities and then encrypts files, holding data hostage until a fee is paid to decrypt them. The FBI has deemed ransomware the fastest growing malware threat, causing significant revenue loss, business downtime and reputational damage.

Therefore,  Protect Your Network From Ransomware by following the best practices below.

1. Backup files regularly

Backup all important files on regularly basis to an offsite server is recommended. Automatic backup systems of operating Systems(Windows , Linux) can be used for this purpose to backup data on daily basis.

For any sensitive data , ensure the backed-up data is encrypted to prevent data theft.

2. Security awareness programs for employees

Awareness sessions for employees to improve level of knowledge regarding information security. could be one of the best forms of defense.

Such sessions should focus on ;

• Introduction about ransomware 
• How to identify ransomware or if a machine is infected
  
• Further steps - if a suspected ransomware attack is identified in office or work from home environment.
• prevention tips for ransomware

        1.Remove Users Without Password

There are already created users, some of  some of which can connect to the database without a password or, even worse, anonymous users.This has changed in MySQL 5.7 which, by default, comes only with a root account that uses the password you choose at installation time. Still, there are MySQL installations which were upgraded from previous versions and these installations keep the legacy users. Also, MariaDB 10.2 on Centos-7 comes with anonymous users. Please note that users with very simple passwords are almost as insecure as users without any password. Passwords like “password” or “qwerty” are not really helpful.


2.  Change default port mappings
MySQL by default runs on port 3306. This should be changed after installation to obfuscate what critical services are running on which ports, as attackers will initially attempt to exploit default values.


3.Do not run MySQL with root level privileges
MySQL should be run under a specific, newly-created user account with the necessary permissions to run the service, as opposed to directly as the root user. This adds some auditing and logging benefits while preventing attackers from gaining access by hijacking the root user account.



4. Limit or disable SHOW DATABASES
Again, stripping remote attackers of their information gathering capabilities is critical to a secure security posture. For this reason, the SHOW DATABASES command should be limited or removed entirely by adding skip-show-database to the [mysqld] section of the MySQL configuration file at /etc/my.cnf.

 
 
 
 
References:
[1] https://www.upguard.com/blog/top-11-ways-to-improve-mysql-security
[2] https://severalnines.com/database-blog/ten-tips-how-achieve-mysql-and-mariadb-security