Skip to main content

Insecure encryption algorithm - Blowfish

Description

Insecure algorithms such as Blowfish are used to encrypt the information stored in the code.

Impact

Decrypt the credentials that are stored encrypted with blowfish.

Recommendation

Use secure algorithms such as AES or RSA.

Threat

Unauthorized user with access to the code.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.6
    • Temporal: 4.6
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The resource correctly configures a secure encryption algorithm

http {
server {
index: "index.html";
listen: "localhost:4446 ssl";
server_name: "localhost";
ssl_prefer_server_ciphers: "on";
ssl_ciphers: "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"";
ssl_certificate: "cert.crt";
ssl_certificate_key: "cert.key";
ssl_protocols: "SSLv3 TLSv1.2";
}
}

Non compliant code

The resource uses the blowfish insecure encryption algorithm

http {
server {
index: "index.html";
listen: "localhost:4446 ssl";
server_name: "localhost";
ssl_prefer_server_ciphers: "on";
//cipher configured with a blowfish type encryption algorithm
ssl_ciphers: blowfish_unique;
ssl_certificate: "cert.crt";
ssl_certificate_key: "cert.key";
ssl_protocols: "SSLv3 TLSv1 TLSv1.1";
}
}

Requirements