CCE-99418-6Platform: cpe:/o:redhat:enterprise_linux:9,cpe:/o:redhat:enterprise_linux:8,cpe:/o:oracle:linux:8 | Date: (C)2024-04-23 (M)2024-04-23 |
The system-wide crypto-policies followed by the crypto core components allow
consistently deprecating and disabling algorithms system-wide.Rationale:If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits.These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457Audit:Run the following command to verify that the system-wide crypto policy is not LEGACY# grep -E -i `^\s*LEGACY\s*(\s+#.*)?$` /etc/crypto-policies/configFix:Run the following command to change the system-wide crypto policy# update-crypto-policies --set DEFAULT# update-crypto-policies
Parameter:
[DEFAULT/LEGACY (Not recommended)/FUTURE/FIPS]
Technical Mechanism:
Run the following command to change the system-wide crypto policy
# update-crypto-policies --set DEFAULT
# update-crypto-policies
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.3 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.5 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:97470 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:96247 |