Penetration scan and TLS cyphers.

paulororke · Fri May 09, 2025 11:57 pm

Hi,

I have seen a few references here to the use of

tls-version=only-1.2

to manage the TLS versions used. I have an RB 3011 as a gateway to our office LAN and a third party has been engaged to do penetration scans (Kali Linux based) on the site.

I am attempting to address this point:

2.1.1 Medium 443/tcp

Medium (CVSS: 5.9)

NVT: SSL/TLS: Report Weak Cipher Suites

Product detection result
cpe:/a:ietf:transport_layer_security
Detected by SSL/TLS: Report Supported Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.
→֒802067)

Summary
This routine reports all weak SSL/TLS cipher suites accepted by a service.

Quality of Detection (QoD): 98%

Vulnerability Detection Result
'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_RSA_WITH_RC4_128_SHA
'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_RSA_WITH_RC4_128_SHA
'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_SHA

Impact
This could allow remote attackers to obtain sensitive information or have other, unspeci ed
impacts.

Solution:
Solution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed weak
cipher suites anymore.
Please see the references for more resources supporting you with this task.

Should issuing the command:

 > ip service set api-ssl tls-version=only-1.2

not limit things to only use TLS1.2? After issuing the command and rescanning the report does not change. I even rebooted the router.

Am I missing something fundamental here? What is the correct approach to preventing the use of those older 'Weak' cipher suites in TLS1.0 and 1.1?

I guess ideally I should use only TLS1.3 to pass this test. Can the be done another way, other than the tls-version command?

jvanhambelgium · Sat May 10, 2025 9:01 am

side-question ; you have Webfig interface available from/for the whole office LAN than ? I assume the pen-test is "internal" so on the LAN itself.
You don't have it narrowed down to eg. 1 or 2 management-stations that can connect to your 3011 ?
Use Winbox ?

Sat May 10, 2025 9:21 am

Should issuing the command:
Code: Select all
 > ip service set api-ssl tls-version=only-1.2 
not limit things to only use TLS1.2?

Your pen tester is not checking just the REST API, they are checking from the root of the site, which is served by:

/ip service set www-ssl tls-version=only-1.2

Separate service, separate setting.

If you only want the REST API and no WebFig, then disable both www and www-ssl.

infabo · Mon May 12, 2025 4:29 pm

According to docs, either www-ssl or www service need to be enabled for REST API.

see https://help.mikrotik.com/docs/spaces/R ... 2/REST+API

paulororke · Mon May 12, 2025 6:01 pm

Thanks for this.

I see, api-ssl and www-ssl are discrete.

The pen test is from outside and should not be hitting my internal anything as far as I understand.

Before the test I had

after running

ip service set www-ssl tls-version=only-1.2

I get

So I will have them run the test again.

One question - why would the pen test be reporting on services that are disabled?

Very much appreciated guys. I'll let you know how it goes if you are interested.

cheers

paulororke · Mon May 12, 2025 7:29 pm

I am still getting the same pen test results.

I was confused as to why port 443 was even coming up, then remembered that I have some SSTP based VPN's available that use 443.

Can I specify the TLS version for use in an SSTP set up?

Amm0 · Mon May 12, 2025 7:46 pm

There is setting to enable tls-1.2-only on the SSTP interface.

/interface/sstp-server/server/set tls-version=only-1.2

It's also in winbox, from PPP on left, then "SSTP Server" button, you'll see the same option.

Amm0 · Mon May 12, 2025 7:49 pm

Also note, in the upcoming 7.19 release, there is newer feature that will show all open ports (similar to netstat) in /ip/services. This would help to identify WHICH process might be using something like 443 in future.

paulororke · Tue May 13, 2025 12:59 am

Thanks for this. Very much appreciate.

I have to confess to being a "Jack of all Trades" in IT. Unfortunately that also means "Master of none", and security is not my strong suit.

I have now added only1.2 to the SSTP as suggested but the scan report of old cyphers being used persists.

I have a port forward to a Windows server that someone else manages. I will have that admin try limiting things to 1.2 and see if that helps.

Perhaps the issue is not the router at all and I have been barking up the wrong tree.

Regardless, it is good to limit the cyphers on the router, so this has not exactly been a waste of time.

Your help is very much appreciated.

Penetration scan and TLS cyphers.

Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.

Re: Penetration scan and TLS cyphers.