Business Community > WiFi > Identified Weak Ciphers
< WiFi

Identified Weak Ciphers

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Identified Weak Ciphers

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Identified Weak Ciphers
Identified Weak Ciphers
2022-05-21 19:30:35
Model: EAP660 HD  
Hardware Version: V1
Firmware Version: 1.2

Please see my recent scan and evidence of weak ciphers to please remove from EAP660 HD:

 

Summary

This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Detection Result

'Vulnerable' cipher suites accepted by this service via the SSLv3 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

Insight

These rules are applied for the evaluation of the vulnerable cipher suites: - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Detection Method

Version used: 

2021-09-20T09:01:50Z

Affected Software/OS

Services accepting vulnerable SSL/TLS cipher suites via HTTPS.

Solution

Solution Type: 

Mitigation

The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.

 

  0      
 
  0      
 
#1
Options
3 Reply
Re:Identified Weak Ciphers
2022-07-12 12:23:13

Dear @indianajones ,

 

indianajones wrote

Please see my recent scan and evidence of weak ciphers to please remove from EAP660 HD:

Summary

This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Insight

These rules are applied for the evaluation of the vulnerable cipher suites: - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Detection Method

Version used: 

2021-09-20T09:01:50Z

Affected Software/OS

Services accepting vulnerable SSL/TLS cipher suites via HTTPS.

Solution

Solution Type: 

Mitigation

The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.

 

Thank you very much for feeding back this issue.


The issue you mentioned will be updated and fixed in a subsequent release, with the default setting of disabling insecure encryption suites and adding an enable switch in the admin screen.
Please be patient and wait for the subsequent release of the firmware, subject to the final software release notes.

 

Best Regards!

 

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Identified Weak Ciphers
2022-08-07 03:15:55

  @Hank21 

 

I have updated

to v1.1.1 on all 660HD EAPs and rerun the scan and I am still receiving the same CVE-2016-2183, for which the EAPs are vulnerable.  To error on the side of doubt, was v1.1.1 supposed to address this CVE or a future version?

 

Best Regards,

Rhett Saunders

 

Hank21 wrote

Dear @indianajones ,

 

indianajones wrote

Please see my recent scan and evidence of weak ciphers to please remove from EAP660 HD:

Summary

This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Insight

These rules are applied for the evaluation of the vulnerable cipher suites: - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Detection Method

Version used: 

2021-09-20T09:01:50Z

Affected Software/OS

Services accepting vulnerable SSL/TLS cipher suites via HTTPS.

Solution

Solution Type: 

Mitigation

The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.

 

Thank you very much for feeding back this issue.


The issue you mentioned will be updated and fixed in a subsequent release, with the default setting of disabling insecure encryption suites and adding an enable switch in the admin screen.
Please be patient and wait for the subsequent release of the firmware, subject to the final software release notes.

 

Best Regards!

 

 

 

  0  
  0  
#3
Options
Re:Identified Weak Ciphers
2022-08-10 08:30:24

Dear @indianajones ,

 

The 1.1.1 firmware has been released before, the next version of EAP660 HD has not been released yet, please be patient for a while.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 1134

Replies: 3

Related Articles
 Vulnerability: built-in radius using weak or compromised ciphers/hashes
389 2
weak connection
131 0
 Wifi devices identified as wired
793 0
Eap660 compatible with oc200 and eap225 setup?
883 0
L3 Adoption of EAP660 HD fails
4515 0
is there way of putting 1gb download limit for each clients
1385 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.