PCI v3.2-6.5.4
CAPEC-217
CWE-326
HIPAA-164.306
ISO27001-A.14.1.3
WASC-4
OWASP 2013-A6
OWASP 2017-A3
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Insecure Transportation Security Protocol Supported (SSLv2)

Severity:
High
Summary

Invicti detected that insecure transportation security protocol (SSLv2) is supported by your web server.

SSLv2 has several flaws. For example, your secure traffic can be observed when you have established it over SSLv2.

Impact

Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors. Also an attacker can exploit vulnerabilities like DROWN.

Remediation

Configure your web server to disallow using weak ciphers.

  • For Apache, you should modify the SSLProtocol directive in the httpd.conf.SSLProtocol +TLSv1.2
  • For Nginx, locate any use of the directive ssl_protocols in the nginx.conf file and remove SSLv3.ssl_protocols TLSv1.2;
  • For Microsoft IIS, you should make some changes on the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key: HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL2
    3. Locate a key named "Server." If it doesn't exist, create it.
    4. Under the "Server" key, locate a DWORD value named "Enabled." If it doesn't exist, create it and set it to "0".
  • For lighttpd, put the following lines in your configuration file:ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3") # v1.4.48 or up
    ssl.ec-curve = "secp384r1"
Required Skills for Successful Exploitation
Actions To Take

We recommended to disable SSLv2 and replace it with TLS 1.2 or higher. See Remedy section for more details.

Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.