Nmap Development mailing list archives
Re: Openssl CCS-Inject script - False positives and varying results across versions downloaded on 07/15 and 07/24
From: Claudiu Perta <claudiu.perta () gmail com>
Date: Thu, 24 Jul 2014 10:27:01 +0100
I downloaded the ssl-ccs-injection.nse script from http://www.nmap.org/nsedoc/scripts/ssl-ccs-injection.html to validate that one of our hosts vulnerability status. Environment: CentOS Host runs Node v 0.8.17 which comes with OpenSSL 1.0.0 (Clearly Vulnerable) *Iteration 1*: *Step*: Downloaded ssl-ccs-injection.nse on 07/15 and executed it *Result*: | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE Flagged it as an issue and alerted the admin responsible to take corrective actions as identified by CVE. Time Flies... *Iteration 2*: *Step: * Admin downloads script from location above and runs a scan *Result:* Flags no vulnerability Out of curiosity, I diffed the scripts and found that there are some significant differences. [image: Inline image 1] I need help in figuring out which of the outputs is valid (purely from CVE perspective) Output of previous script is valid. Just wanted to flag this as the script might just be around and more people might be using it as time goes on.
Thanks for the report. So the changes were introduced as many people reported false positives on non-vulnerable SSL/TLS implementations different than OpenSSL, but, clearly, this is too restrictive. I'll test all OpenSSl versions affected by the vulnerability, and, depending on the results, the script could to either removed from nmap, or specify exactly which OpenSSL versions are supported (and maybe a separate check could be implemented in these cases). Cheers, --Claudiu _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Openssl CCS-Inject script - False positives and varying results across versions downloaded on 07/15 and 07/24 Narsi (Jul 24)
- Re: Openssl CCS-Inject script - False positives and varying results across versions downloaded on 07/15 and 07/24 Claudiu Perta (Jul 24)