016 – Insecure encryption algorithm - SSL/TLS

Description

The server allows the usage of insecure TLS protocol versions.

Impact

Compromise sensitive information that travels between client and server.

Recommendation

Update TLS protocol to version TLSv1.2 or TLSv1.3 if possible.

Threat

Unauthorized attacker from adjacent network.

Expected Remediation Time

100 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 148 - Set minimum size of asymmetric encryption
• 149 - Set minimum size of symmetric encryption
• 150 - Set minimum size for hash functions
• 181 - Transmit data using secure protocols
• 336 - Disable insecure TLS versions

Fixes

• Aws
• Azure
• Cloudformation
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift

Last updated

2024/02/07