Why am I noticing threat ID 59268?
3543
Created On 02/04/21 19:20 PM - Last Modified 02/05/25 22:19 PM
Question
What is Threat ID 59268? Why am I noticing this on my network?
Answer
OpenSSL SSLv2 Man-in-the-Middle Vulnerability
OpenSSL is prone to a man-in-the-middle vulnerability while parsing certain crafted SSL requests. The vulnerability is due to the lack of proper checks on SSL requests, leading to an exploitable man-in-the-middle vulnerability. An attacker could exploit the vulnerability by sending crafted SSL requests. A successful attack could lead to remote code execution with the privileges of the server.
This is an informational severity alert. This signature detects hosts requesting to connect with sslv2 with a weak cipher spec to servers supporting sslv2 with weak ciphers.
Given the amount of servers supporting sslv2 with weak cipher specs on the internet (pretty high). It would be normal to see on a busy network with access to the internet. The issue is if you remove weak ciphers from your browsers you would either not be allowing your users to connect to servers using the weak ciphers or possibly force the servers to resort to plain text http with no encryption. There is some risk involved in allowing the hosts to support the weak ciphers because of the MITM attack potential. However you may need to dig a little deeper into which servers you notice connecting to and determine the risk.
https://nvd.nist.gov/vuln/detail/CVE-2015-3197
Additional Information
https://security.stackexchange.com/questions/38945/disabling-ssl-v2-and-weak-ciphers-on-client-pcs
https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work
http://www.openssl.org/news/secadv/20160128.txt
https://nvd.nist.gov/vuln/detail/CVE-2015-3197