Hello everyone, I ran a pentest with Openvas on my server. I use the policy 10/05/2020 and the test found vulnerabilities.
64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
I’ll stop here. Can anyone suggest me any Custom actions to take, clearly if necessary?
From the reports I see https tcp port 631 (I think cups).
@giacomo i don’t know if I’m bugging the right person but… it’s expected that CUPS comply with the TLS policy?
@france is expected that your installation allow CUPS available on RED or other interfaces?
Not exactly, the penteste I wanted to perform was just to test the system, the cups service runs only via LAN and in the future via VPN. Anyway, thank you -
Am i correct? You pentested the system from GREEN interface?
Yes, I wanted to do it for a simple test, also if I had to take a test from Wan I had to modify firewalls, fail2ban etc. In practice, a simple internal verification.
Uh, CUPS…is there someone who still using it out there?
I’m working a little on some vulnerability tools (OpenVAS and Nessus) in the last few weeks and I saw many of such warning. Most of them can be ignored, especially for services exposed only inside the LAN.
TLS policy has been created mostly for public services, I do not think it’s necessary to enforce it for private networks.
@france if you want to improve CUPS security, try to set
SSLOption, it should be something like (not tested):
More info at
Please report back your findings
The “policy name” states some services where it’s applied…
This policy disables the TLS protocol versions 1.0 and 1.1. It applies to the following services:
Apache (httpd, httpd-admin)
But the main reference of documentations is… generic
The TLS policy page controls how individual services configure the Transport Layer Security (TLS) protocol, by selecting a policy identifier .
If not otherwise stated, the TLS settings of policies are always cumulative : newer policies extend older ones .
Which is fine, but…IMVHO should be reported that the TLS policy management affects only some services (not all) described into every policy.
Thanks for info, @giacomo
(Anyway… CUPS supports IPP, still used)
Yes, in fact, I had already seen this. Anyway, thank you Pike as always!
Hi Giacomo, I don’t use cups much, but as written above I just wanted to launch a pentest and I’m not here to list the other alerts (Postfix), because my question was only directed to the vulnerability found in SSL at CUPS 631 service. Anyway, thank you for your intervention.