Skip to main content

Insecure encryption algorithm - AES

Description

The source code uses RSA/ECB/PKCS1Padding and AES/CBC/PKCS5PADDING encryption, both of which are considered insecure.

Impact

Decrypt the information encrypted with the algorithm because it has vulnerabilities that make it easily breakable.

Recommendation

Only secure encryption with secure algorithms such as RSA/NONE/OAEPwithSHA-256andMGF1Padding should be allowed.

Threat

Attacker with access to the code.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: L
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:X
  • Score:
    • Base: 5.1
    • Temporal: 4.6
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The server uses a secure cipher algorithm

http {
server {
index: "index.html";
listen: "localhost:4446 ssl";
server_name: "localhost";
ssl_prefer_server_ciphers: "on";
ssl_ciphers: "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
ssl_certificate: "cert.crt";
ssl_certificate_key: "cert.key";
ssl_protocols: "SSLv3 TLSv1.2";
}
}

Non compliant code

The server uses the insecure AES cipher algorithm

http {
server {
index: "index.html";
listen: "localhost:4446 ssl";
server_name: "localhost";
ssl_prefer_server_ciphers: "on";
ssl_ciphers: "ECDHE_RSA_WITH_AES_256_CBC_SHA";
ssl_certificate: "cert.crt";
ssl_certificate_key: "cert.key";
ssl_protocols: "SSLv3 TLSv1 TLSv1.1";
}
}

Requirements