Skip to main content
All CollectionsRemediations
SSL Medium Strength Cipher Suite Supported (SWEET32) (MacOS) (CUPS) Vulnerability
SSL Medium Strength Cipher Suite Supported (SWEET32) (MacOS) (CUPS) Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over 2 years ago

The Sweet32 vulnerability when detected with a vulnerability scanner will report it as a CVSS 7.5.

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

The Sweet32 vulnerability has been around since 2016, Sweet32 is the name of the attack that was released by a pair of security researchers that were based at the French National Research Institute for Computer Science (INRIA).

Their findings were assigned the CVE’s CVE-2016-2183 and CVE-2016-6329, it was found that the attack takes advantage of a design weakness in some SSL cyphers, the cyphers, are used in common protocols such as TLS, SSH, IPSec and OpenVPN.

The attack makes use of older cyphers which are known to be weaker and offer less protection against attacks, the Sweet32 attack allows an attacker, in certain limited circumstances, to recover small portions of plaintext when encrypted with 64-bit block cyphers, such as (3DES and Blowfish).

Block cyphers are a type of symmetric algorithm that encrypts plaintext in blocks, as the name implies, rather than bit-by-bit. One of the characteristics of such cyphers is the block length; which determines the size of the chunks into which the plaintext is split and then encrypted. Importantly, the block length of the cypher is independent of the length of the key. So even if you choose a large key size for your encryption, the block length of the cypher can impose its own limitations, and in this case, vulnerabilities.

The Common Unix Printing System (CUPS), which is bundled with Mac OS X, is free open source software provided by Easy Software Products under the GNU General Public License and the GNU Lesser General Public License. It is a portable and extensible printing system for Unix based on the Internet Printing Protocol (IPP/1.1)

To help protect against this vulnerability, you need to disable some older cyphers by making changes in the SSL configuration file. The configuration file for CUPS is called cupsd.conf and it is located in ‘/etc/cups/’ folder.

Open and edit the cupsd.conf file located in ‘/etc/cups/’ folder using a text editor. Add the following line right below the ‘WebInterface Yes/No’ line:

SSLOptions DenyCBC MinTLS1.2

Please refer the image below:

Note: A restart of the service and/or the server will be required after making these changes.

Did this answer your question?