Re: Openssl CCS-Inject script - False positives and varying results across versions downloaded on 07/15 and 07/24

[Claudiu Perta <claudiu.perta () gmail com>]

> I downloaded the ssl-ccs-injection.nse script from
> http://www.nmap.org/nsedoc/scripts/ssl-ccs-injection.html to validate that
> one of our hosts vulnerability status.
>
> Environment:
> CentOS Host runs Node v 0.8.17 which comes with OpenSSL 1.0.0 (Clearly
> Vulnerable)
>
> *Iteration 1*:
> *Step*:
> Downloaded ssl-ccs-injection.nse on 07/15  and executed it
>
> *Result*:
> | ssl-ccs-injection:
> |   VULNERABLE:
> |   SSL/TLS MITM vulnerability (CCS Injection)
> |     State: VULNERABLE
>
>
> Flagged it as an issue and alerted the admin responsible to take corrective
> actions as identified by CVE.
>
> Time Flies...
>
> *Iteration 2*:
> *Step: *
> Admin downloads script from location above and runs a scan
>
> *Result:*
> Flags no vulnerability
>
> Out of curiosity, I diffed the scripts and found that there are some
> significant differences.
> [image: Inline image 1]
>
> I need help in figuring out which of the outputs is valid (purely from CVE
> perspective) Output of previous script is valid.
>
> Just wanted to flag this as the script might just be around and more people
> might be using it as time goes on.

Thanks for the report. So the changes were introduced as many people
reported false positives on non-vulnerable SSL/TLS implementations
different than OpenSSL, but, clearly, this is too restrictive. I'll test
all OpenSSl versions affected by the vulnerability, and, depending on the
results, the script could to either removed from nmap, or specify exactly
which OpenSSL versions are supported (and maybe a separate check could be
implemented in these cases).

Cheers,
--Claudiu
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/