Insufficient DH Group Strength Vulnerability
-
Hi
When we did a vulnerability assessment on our PFSense firewall we could see the below vulnerability being reported during the scan." SSL Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability"
Is there any recommended solution or workaround for closing this vulnerability on pfsense?
Any help is much appreciated.
-
Not with this amount of info, no. Blindly running scans without understanding what's being done and what's the output about is not exactly productive.
-
What did you scan? What service came back with that? Are you running say HAproxy or something?
-
Hi
It is occurring on the port 4443, a custom port number for web configurator (Web GUI). Also have appended the vulnerability results.Medium (CVSS: 4.0)
NVT: SSL Diffie-Hellman Key Exchange Insufficient DH Group Strength VulnerabilityPort
4443Summary
The TLS service uses Diffie-Hellman groups with insufficient strength (key size ¡ 2048).Vulnerability Detection Result
Server Temporary Key Size: 1024 bitsAlso when i searched i could see some workaround in generic as "Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)".
But not sure whether the same can be applied for PFSense.
-
No idea if using outdated pfSense or the (still unknown) scanner produces complete BS. - https://github.com/pfsense/pfsense/blob/RELENG_2_3_2/src/etc/inc/system.inc#L1340
-
what version of pfsense are you running.. As dok pointed out this has been updated quite some time ago..
I just ran a scan against my pfsense 2.3.2_p1
-
Hi
We are using pfsense 2.2.4. -
So your worried about security and running a version that came out in July of 2015 ;) Makes a lot of sense… doh!!!
-
Time to upgrade.
