2024年12月27日 星期五

弱掃調整

原始nginx設定

    ssl_protocols       TLSv1.3 TLSv1.2;

#    ssl_protocols       TLSv1.3;

#    ssl_ciphers         EECDH+AESGCM:EECDH+AES256;

    ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:EECDH+AES256:!MD5:!SHA1:!SHA256:!SHA384";

測試工具

https://www.ssllabs.com/ssltest/

https://certlogik.com/decoder/

nmap --script ssl-enum-ciphers -p 443 xxx.tw

sslscan xxx.tw

openssl s_client -cipher ECDHE-RSA-AES256-SHA384 -connect url.xxx.tw:443


弱點名稱弱點描述(英文)弱點描述(中文)修補建議(英文)修補建議(中文)參數資訊
Lodash Other VulnerabilityLodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Lodash 在4.17.21以前的版本在toNumber, trim, trimend函式具有正規表達阻斷式服務攻擊(ReDoS)的弱點
升級至4.17.21版lodash v4.17.10-4.17.10lodash v4.17.10-4.17.10
Lodash Improper Neutralization of Special Elements used in a Command ('Command Injection') VulnerabilityLodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Lodash於4.17.21版本以前在樣板函式中具有命令注入的弱點
升級至4.17.21版本lodash v4.17.10-4.17.10
Lodash Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') VulnerabilityPrototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Lodash於4.17.20以前的版本具有原型鏈污染漏洞
升級至4.17.21版本lodash v4.17.10-4.17.10
Lodash Allocation of Resources Without Limits or Throttling Vulnerabilitylodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Lodash於4.17.11版本在處理過長的正規表達式時,恐導致阻斷式服務攻擊
因4.17.11版本仍有其他已知弱點,故建議升級至4.17.21版本lodash v4.17.10-4.17.10
Lodash CVE-2018-16487 VulnerabilityA prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Lodash 4.17.11 具有原型鏈污染漏洞弱點
因4.17.11具有其他已知漏洞,故建議升級至4.17.21lodash v4.17.10-4.17.10
TLS/SSL Weak Cipher SuitesThe remote host supports TLS/SSL cipher suites with weak or insecure properties.發現目標主機支援強度不足的加密演算法Reconfigure the affected application to avoid use of weak cipher suites.重新調整伺服器,避免使用強度不足的演算法,相關資訊可參考報告欄位的「參數資訊」
Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Vulnerable JavaScript librariesYou are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.使用已知存在漏洞的Javascript函式庫。此版本Javascript函式庫可能存在一個或多個以上知已知漏洞,詳情可參考該函式庫網站。Upgrade to the latest version.更新至最新版函式庫。
Lodash 4.17.10

URL: https://domain.gsn.gov.tw/gsn/
Detection method: The library's name and version were determined based on its dynamic behavior.
CVE-ID: CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2018-16487, CVE-2019-1010266
Description: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. / Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. / Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. / Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. / A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. / lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
References:

https://nvd.nist.gov/vuln/detail/CVE-2021-23337
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-28500
https://nvd.nist.gov/vuln/detail/CVE-2019-10744
https://nvd.nist.gov/vuln/detail/CVE-2018-16487
https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
SSL Certificate Is About To ExpireOne of the TLS/SSL certificates used by your server is about to expire.

Once the certificate has expired, most web browsers will present end-users with a security warning, asking them to manually confirm the authenticity of your certificate chain. Software or automated systems may silently refuse to connect to the server.

This alert is not necessarily caused by the server (leaf) certificate, but may have been triggered by an intermediate certificate. Please refer to the certificate serial number in the alert details to identify the affected certificate.
網站使用的安全憑證即將過期(低於60天)。Contact your Certificate Authority to renew the SSL certificate.向憑證頒發機構續訂憑證。
The TLS/SSL certificate (serial: 029ae1a7b78ce1460ebb1cec62340f8c) will expire in less than 60 days. The certificate validity period is from Fri Oct 25 2024 21:27:11 GMT+0800 ( ) to Thu Jan 23 2025 21:27:10 GMT+0800 ( ) (49 days left)
TLS/SSL Weak Cipher SuitesThe remote host supports TLS/SSL cipher suites with weak or insecure properties.發現目標主機支援強度不足的加密演算法Reconfigure the affected application to avoid use of weak cipher suites.重新調整伺服器,避免使用強度不足的演算法,相關資訊可參考報告欄位的「參數資訊」
Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256
TLS/SSL Weak Cipher SuitesThe remote host supports TLS/SSL cipher suites with weak or insecure properties.發現目標主機支援強度不足的加密演算法Reconfigure the affected application to avoid use of weak cipher suites.重新調整伺服器,避免使用強度不足的演算法,相關資訊可參考報告欄位的「參數資訊」
Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA
jQuery UI Dialog Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') VulnerabilityjQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( ''refresh'' )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
jQuery-UI 是官方的 jQuery 使用者介面函式庫。 在 1.13.0 版之前,接受來自不受信任來源的 `.position()` 工具的 `of` 選項的值可能會執行不受信任的程式碼。 該問題已在 jQuery UI 1.13.0 中修復。 任何傳遞給 `of` 選項的字串值現在都會被視為 CSS 選擇器。 解決方法是不接受來自不信任來源的 `of` 選項的值。
建議升級jquery-ui至1.13.2(含)以上的版本jquery-ui-dialog v1.13.1-1.13.1
jQuery UI Tooltip Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') VulnerabilityjQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( ''refresh'' )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
jQuery-UI 是官方的 jQuery 使用者介面函式庫。 在 1.13.0 版之前,接受來自不可信任來源的 Datepicker widget `altField` 選項的值可能會執行不可信任的程式碼。 該問題已在 jQuery UI 1.13.0 中修復。 現在,傳遞給 `altField` 選項的任何字串值都會被視為 CSS 選擇器。 解決方法是不接受來自不信任來源的 `altField` 選項值。
建議升級jquery-ui至1.13.2(含)以上的版本jquery-ui-tooltip v1.13.1-1.13.1
TLS/SSL Weak Cipher SuitesThe remote host supports TLS/SSL cipher suites with weak or insecure properties.發現目標主機支援強度不足的加密演算法Reconfigure the affected application to avoid use of weak cipher suites.重新調整伺服器,避免使用強度不足的演算法,相關資訊可參考報告欄位的「參數資訊」
Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS/SSL Weak Cipher SuitesThe remote host supports TLS/SSL cipher suites with weak or insecure properties.發現目標主機支援強度不足的加密演算法Reconfigure the affected application to avoid use of weak cipher suites.重新調整伺服器,避免使用強度不足的演算法,相關資訊可參考報告欄位的「參數資訊」Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS/SSL Weak Cipher SuitesThe remote host supports TLS/SSL cipher suites with weak or insecure properties.發現目標主機支援強度不足的加密演算法Reconfigure the affected application to avoid use of weak cipher suites.重新調整伺服器,避免使用強度不足的演算法,相關資訊可參考報告欄位的「參數資訊」
Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA