AnsweredAssumed Answered

CVE-2016-2107 potential false positive

Question asked by Royce Williams on Feb 28, 2017
Latest reply on Mar 1, 2017 by Royce Williams

Both of these sites are detected as being vulnerable to CVE-2016-2107:

 

https://www.ssllabs.com/ssltest/analyze.html?d=sagitta.systems
https://www.ssllabs.com/ssltest/analyze.html?d=webfilter.aptalaska.net

 

However, using RUB-NDS's TLS-Attacker with this syntax:

 

java -jar TLS-Attacker-1.2.jar padding_oracle -connect hostname:443

 

... only the second one appears to be. (Note that sagitta.systems is expired, but this should be unrelated to the test for CVE-2016-2017)

 

$ grep vulnerable *.out
sagitta.systems.out:21:57:08.679 [main] CONSOLE de.rub.nds.tlsattacker.attacks.impl.PaddingOracleAttack - sagitta.systems:443, NOT vulnerable, one message found: [


webfilter.aptalaska.net.out:22:06:11.667 [main] CONSOLE de.rub.nds.tlsattacker.attacks.impl.PaddingOracleAttack - webfilter.aptalaska.net:443, Vulnerable (?), more messages found, recheck in debug mode: [

 

An admin of sagitta.systems confirms that Apache on that system is linked to OpenSSL 1.0.1p, which should be patched for this vulnerability, and which is consistent with the TLS-Attacker output.

Outcomes