Saturday, February 6, 2010

SSL Server Has SSLv2 Enabled Vulnerability, PCI and IIS

If you are involved with PCI compliance scanning you are probably familiar with the "SSL Server Has SSLv2 Enabled" vulnerability. It's one of those annoying items that always seem to show up on scan reports. Fortunately, there is a simple way to test for this vulnerability and an easy way to fix it.

Using nmap and its script scanning capability you can scan for and detect this vulnerability. An example command is listed below.

nmap -p443 --script=sslv2.nse 10.10.10.10 -vvv

If the server supports SSLv2 nmap will report:

Interesting ports on 10.10.10.10:
PORT    STATE SERVICE
443/tcp open  https
|  sslv2: server still supports SSLv2
|       SSL2_DES_192_EDE3_CBC_WITH_MD5
|       SSL2_RC2_CBC_128_CBC_WITH_MD5
|       SSL2_RC4_128_WITH_MD5
|       SSL2_RC4_64_WITH_MD5
|       SSL2_DES_64_CBC_WITH_MD5
|_      SSL2_RC4_128_EXPORT40_WITH_MD5

How to fix a vulnerable IIS server:

Open regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

Change the "Enabled" value to dword 00000000
"Enabled"=dword:00000000

Reboot the server and run nmap again to verify the vulnerability has been closed.