Elxis CMS Forum

Support => Security => Topic started by: seadhna on December 13, 2024, 18:54:45

Title: Weak Cipher Suites Detection
Post by: seadhna on December 13, 2024, 18:54:45

Hi datahell,

I've received this email for an Elxis-built website (I've removed the URL from the email below). This is apparently a reputable organization; I don't know if this means some change should be made to Elxis; it may be nothing at all; but thought I should pass it along for your information:

From: DIVD-CSIRT <divd-2024-0004@csirt.divd.nl>
Subject: Reminder: Weak Cipher Suites Detection in example.org
 
Hi,

This is a reminder about a previously found vulnerability. Researchers from DIVD have scanned your system as part of a project to identify and hel remediate vulnerabilities in the public-facing assets of NGOs. We are working with the Cyber Peace Institute, The Hague Humanity Hub, and the Municipality of The Hague to improve cyber resilience among NGOs. We have identified a vulnerability in your website example.org. To remediate this vulnerability, please ensure your systems are up to date and configured correctly.

Scan data:
Vulnerable URL: www.example.org:443
Timestamp Scan: 2024-11-16T21:03:32.831474262Z
Found vulnerability: Weak Cipher Suites Detection
Vulnerability description:
An insecure cipher is an encryption/decryption algorithm or cipher suite that, due to factors like insufficient key length, deprecated protocols, known cryptographic weaknesses, or support for vulnerable cipher suites, can be compromised, posing risks to data confidentiality and integrity.

Suggested remediation:
To remediate, disable all insecure or deprecated ciphers and cipher suites, and configure systems to support only strong, up-to-date encryption algorithms and protocols.

We found the vulnerability by performing a scan for commonly found website vulnerabilities. One of our volunteers then manually confirmed it. No damage or harm to your systems has been done. If you need help resolving this vulnerability, we recommend signing up for help from a volunteer at the Cyber Peace Builders at cpb.ngo/nonprofits.

If you have any remaining questions or need help in mitigating this vulnerability, do not hestitate to contact us at csirt@divd.nl. DIVD-CSIRT is part of DIVD, a non-profit organization that strives to make the Internet safer. More information about this institute can be found at divd.nl.

Thank you for your time and attention.

DIVD-CSIRT

Title: Re: Weak Cipher Suites Detection
Post by: datahell on December 13, 2024, 20:51:37

This has nothing to do with Elxis, not even with any of the site contents. This is an SSL related setting for the web server.
I edited your post and removed 2 links as it looked like an ad.

Title: Re: Weak Cipher Suites Detection
Post by: seadhna on December 17, 2024, 14:19:27

Ok, thanks datahell!