EAP225 Insecure cipher list in the WebUI

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

EAP225 Insecure cipher list in the WebUI

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
EAP225 Insecure cipher list in the WebUI
EAP225 Insecure cipher list in the WebUI
2022-07-11 09:17:06 - last edited 2022-07-11 11:25:35
Model: EAP225  
Hardware Version: V3
Firmware Version: 5.0.9 Build 20220429 Rel. 43558(4555)

Hi there,

 

I couldn't find anyone specifically talking about this so I thought I would ask it myself. I run OpenVAS on my home network and my AP's flag as having insecure cipher list for TLSv1.2, I have TLSv1.1 and 1.0 disabled, I would like to know if it's possible to remove the insecure ciphers from the list, and also while I'm at it, can I use TLSv1.3?

 

Here's what I get told by OpenVAS;

 

Summary
This routine reports all SSL/TLS cipher suites accepted by a service
where attack vectors exists only on HTTPS services.
Detection Result
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
Insight
These rules are applied for the evaluation of the vulnerable cipher suites:

- 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
Detection Method
Details:
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS OID: 1.3.6.1.4.1.25623.1.0.108031
Version used:
2021-09-20T09:01:50Z
Affected Software/OS
Services accepting vulnerable SSL/TLS cipher suites via HTTPS.
Solution
Solution Type:
Mitigation
The configuration of this services should be changed so
that it does not accept the listed cipher suites anymore.

Please see the references for more resources supporting you with this task.
References
CVE
CVE-2016-2183
CVE-2016-6329
CVE-2020-12872
CERT
DFN-CERT-2021-1618
DFN-CERT-2021-0775
DFN-CERT-2021-0770
DFN-CERT-2021-0274
DFN-CERT-2020-2141
DFN-CERT-2020-0368
DFN-CERT-2019-1455
DFN-CERT-2019-0068
DFN-CERT-2018-1296
DFN-CERT-2018-0323
DFN-CERT-2017-2070
DFN-CERT-2017-1954
DFN-CERT-2017-1885
DFN-CERT-2017-1831
DFN-CERT-2017-1821
DFN-CERT-2017-1785
DFN-CERT-2017-1626
DFN-CERT-2017-1326
DFN-CERT-2017-1239
DFN-CERT-2017-1238
DFN-CERT-2017-1090
DFN-CERT-2017-1060
DFN-CERT-2017-0968
DFN-CERT-2017-0947
DFN-CERT-2017-0946
DFN-CERT-2017-0904
DFN-CERT-2017-0816
DFN-CERT-2017-0746
DFN-CERT-2017-0677
DFN-CERT-2017-0675
DFN-CERT-2017-0611
DFN-CERT-2017-0609
DFN-CERT-2017-0522
DFN-CERT-2017-0519
DFN-CERT-2017-0482
DFN-CERT-2017-0351
DFN-CERT-2017-0090
DFN-CERT-2017-0089
DFN-CERT-2017-0088
DFN-CERT-2017-0086
DFN-CERT-2016-1943
DFN-CERT-2016-1937
DFN-CERT-2016-1732
DFN-CERT-2016-1726
DFN-CERT-2016-1715
DFN-CERT-2016-1714
DFN-CERT-2016-1588
DFN-CERT-2016-1555
DFN-CERT-2016-1391
DFN-CERT-2016-1378
CB-K21/1094
CB-K20/1023
CB-K20/0321
CB-K20/0314
CB-K20/0157
CB-K17/1980
CB-K17/1871
CB-K17/1803
CB-K17/1753
CB-K17/1750
CB-K17/1709
CB-K17/1558
CB-K17/1273
CB-K17/1202
CB-K17/1196
CB-K17/1055
CB-K17/1026
CB-K17/0939
CB-K17/0917
CB-K17/0915
CB-K17/0877
CB-K17/0796
CB-K17/0724
CB-K17/0661
CB-K17/0657
CB-K17/0582
CB-K17/0581
CB-K17/0506
CB-K17/0504
CB-K17/0467
CB-K17/0345
CB-K17/0098
CB-K17/0089
CB-K17/0086
CB-K17/0082
CB-K16/1837
CB-K16/1830
CB-K16/1635
CB-K16/1630
CB-K16/1624
CB-K16/1622
CB-K16/1500
CB-K16/1465
CB-K16/1307
CB-K16/1296
 

Thanks in advance,

Christian.

  0      
  0      
#1
Options
4 Reply
Re:EAP225 Insecure cipher list in the WebUI
2022-07-12 11:28:10

Dear @Its_Christian ,

 

Its_Christian wrote

I couldn't find anyone specifically talking about this so I thought I would ask it myself. I run OpenVAS on my home network and my AP's flag as having insecure cipher list for TLSv1.2, I have TLSv1.1 and 1.0 disabled, I would like to know if it's possible to remove the insecure ciphers from the list, and also while I'm at it, can I use TLSv1.3?

Here's what I get told by OpenVAS;

Summary
This routine reports all SSL/TLS cipher suites accepted by a service
where attack vectors exists only on HTTPS services.
Detection Result
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

Thank you very much for feedback this issue.


The issue you mentioned will be updated and fixed in a subsequent release, with the default setting of disabling insecure encryption suites and adding an enable switch in the admin screen.
Please be patient and wait for the subsequent release of the firmware, subject to the final software release notes.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#2
Options
Re:EAP225 Insecure cipher list in the WebUI
2022-09-02 11:05:54
Hi there, Is there any progress update on this issue? I'd really like to know if you plan on fixing the vulnerable firmware, and if you are when it will be available to download. Thanks!
  1  
  1  
#3
Options
Re:EAP225 Insecure cipher list in the WebUI
2022-10-11 07:51:56

Are there any updates as to a new release of firmware for this device yet? Keen to get the vulnerable ciphers disabled asap.

  0  
  0  
#4
Options
Re:EAP225 Insecure cipher list in the WebUI
2022-10-13 04:55:49

Dear @Its_Christian ,

 

Its_Christian wrote

Are there any updates as to a new release of firmware for this device yet? Keen to get the vulnerable ciphers disabled asap.

 

Sorry for any trouble caused!

 

I haven't been informed of the ETA of the new firmware for this EAP yet, will try to push the R&D team to release the firmware shortly.

If you need any further assistance with the TP-Link products, please feel free to start a thread on the community or submit a ticket email to our technical support team from here.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 742

Replies: 4

Related Articles