+ Reply to Thread
Results 1 to 2 of 2
  1. Senior Member shochan's Avatar
    Join Date
    Sep 2016
    Location
    AR
    Posts
    651

    Certifications
    A+, Network+, i-Net+, Novell CNA 5.0, MCP 70-210, Server+, Security+, Cloud+
    #1

    Default Exchange Server gurus & encrypting emails

    So, I found a vulnerability in our exchange servers this week (I'm not part of Exch team, so not for certain which svr version they are using) - because our S/MIME encrypting method is using 3DES - which was compromised by the Sweet32 attack.

    https://sweet32.info/
    CVE-2016-2183 : The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a bi
    https://csrc.nist.gov/News/2017/Upda...cation-of-TDEA

    I wondered why whoever setup this exchange didn't go with AES encryption (possibly being Exch 2003) idk, that's why I wanted to inquire with the TE folks/gurus out there. What encryption methods are you using? if any...or possibly 3rd party software?

    Cheers and Hi5!
    2018 goals -> PenTest+ Beta (failed), Linux+ Beta (Oct), CEH (Dec)
    2019 goals -> Linux+ 103 (Jan), Linux+ 104 (Mar)
    Reply With Quote Quote  

  2. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    1,156

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #2
    From what I remember from sweet description it's very hard to exploit. Not only it requires MITM, it's unlikely that a typical email size would be enough. They typically talk about hundreds of gigabytes of a single session for which this single encryption key was used which is by far much higher than a typical email size. I'd let it slide no issues if my memory serves me well and there's a reason for using 3DES in this case.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks