← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:20007 · Disclosed 2005-10-12

SSL Version 2 and 3 Protocol Detection

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

Calling this critical everywhere is like rating a rusty spare key the same as an unlocked front door

Tenable plugin 20007 fires when a remote service will still negotiate SSLv2 and/or SSLv3. This is not a single-product bug with a neat fixed build; it is a protocol-hardening finding that can appear on web servers, mail gateways, load balancers, management planes, appliances, and anything else exposing TLS. In practice, the affected 'version range' is simply any service configuration that still permits SSLv2 or SSLv3, including cases where the application is current but the OS crypto policy, reverse proxy, or appliance listener still allows the legacy protocol.

Tenable's Critical / 9.8 label overshoots reality for most enterprises. The real exploit paths are usually man-in-the-middle downgrade abuse for SSLv3 or cross-protocol decryption conditions for SSLv2 such as RSA key exchange and sometimes shared private keys, not unauthenticated one-shot remote takeover. That's a real security problem and a valid remediation target, but for a patch queue managing 10,000 hosts it is usually medium priority crypto hygiene unless the endpoint is internet-facing, carries credentials, or fronts sensitive admin traffic.

"This is obsolete crypto, not instant RCE: real risk hinges on exposure, downgradeability, and key-exchange details."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Fingerprint the listener with nmap ssl-enum-ciphers

An attacker or scanner first confirms that the target will negotiate SSLv2 or SSLv3. The usual tooling is nmap --script ssl-enum-ciphers, testssl.sh, or sslyze, which quickly identifies protocol support and cipher posture before any real exploit attempt.
Conditions required:
  • Network reachability to the target service and port
  • A TLS-speaking service exposed on that port
Where this breaks in practice:
  • Good scanners find this reliably, but they often can't tell which upstream device actually terminated TLS
  • Findings on internal-only listeners already imply the attacker is on the inside
Detection/coverage: Excellent scanner coverage. Nessus, Nmap NSE, testssl.sh, and SSlyze all detect this class well; attribution to the real owning component is the harder part.
STEP 02

Negotiate the legacy protocol with openssl, sslyze, or custom clients

The next step is not exploitation yet; it is proving the service will actually talk the deprecated protocol. If SSLv3 is accepted, the attacker still needs a downgradeable client path. If SSLv2 is accepted, the attacker now has the prerequisite for DROWN-style probing against RSA-based deployments.
Conditions required:
  • The server really permits SSLv2 or SSLv3 instead of only legacy-compatible ClientHello formats
  • The attacker can initiate repeated handshakes
Where this breaks in practice:
  • Modern browsers and libraries have removed or disabled these protocols by default
  • Many load balancers expose only TLS even when downstream legacy services exist
Detection/coverage: Protocol support is visible in handshake telemetry and SSL inspection logs if collected, but many orgs only see the final accepted TLS version and not blocked downgrade attempts.
STEP 03

Exploit the weakness with POODLE or DROWN techniques

For SSLv3, the realistic path is a man-in-the-middle downgrade and padding-oracle style abuse, classically POODLE, to recover plaintext such as cookies. For SSLv2, DROWN-style abuse can use specially crafted SSLv2 handshakes to help decrypt intercepted TLS sessions, especially where RSA key exchange or shared keys make the target materially exposed.
Conditions required:
  • SSLv3 path: attacker can modify traffic in transit and influence a victim client session
  • SSLv2 path: the service or a sibling service with the same private key supports SSLv2, and the target uses compatible RSA-based conditions
Where this breaks in practice:
  • This is the decisive brake: MITM position, downgrade success, and protocol-specific cryptographic preconditions are much rarer than simple unauthenticated RCE
  • Perfect Forward Secrecy and modern ECDHE-heavy deployments sharply reduce the practical SSLv2 blast radius
  • Browsers, HSTS, and newer clients reduce fallback behavior that POODLE relied on
Detection/coverage: Low-confidence behavioral detection. You may see repeated odd TLS handshakes, protocol mismatches, or decryption-oracle style retry patterns, but most orgs will not detect a clean proof-driven attack path here.
STEP 04

Turn decrypted traffic into usable access

If the attacker successfully recovers session material or application plaintext, the impact is typically credential theft, cookie theft, or disclosure of sensitive business data traversing the channel. That can be serious on login portals, admin consoles, or legacy middleware, but it is still a second-order outcome after several prerequisites are met.
Conditions required:
  • Sensitive data or reusable tokens traverse the affected channel
  • The decrypted material is still valid and useful to the attacker
Where this breaks in practice:
  • Short-lived cookies, MFA, and app-layer re-authentication reduce the payoff
  • Internal-only services often carry limited-value traffic compared with public auth surfaces
Detection/coverage: Usually indirect. You are more likely to notice suspicious session reuse, stolen cookies, or odd authentication events than the crypto attack itself.
03 · Intelligence Metadata

The supporting signals.

Vendor baselineTenable rates plugin 20007 Critical with CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) on the current plugin page, and Tenable said on 2022-04-04 it was raised from High to Critical.
What the plugin really meansThis is a protocol support detection, not a single CVE or package-version defect. A current server can still trigger it if the listener, reverse proxy, appliance, or OS crypto policy allows SSLv2/SSLv3.
In-the-wild statusThere is historical real-world abuse behind the underlying protocol flaws: SSLv3 is tied to POODLE and SSLv2 to DROWN. I found no CISA KEV listing for this plugin, and this is not the kind of issue usually tracked as an actively exploited, single-CVE internet wormable flaw.
Proof-of-concept availabilityPublic weaponization knowledge is abundant. Tenable references POODLE; the DROWN site and the USENIX paper describe the attack path and economics in detail.
EPSSNot directly applicable to plugin 20007 because EPSS scores CVEs, while this finding is a configuration/protocol exposure bucket. If you map it to underlying history, you are really borrowing threat signal from old CVEs like POODLE or DROWN rather than scoring this finding itself.
KEV statusNot KEV-trackable as-is. CISA KEV catalogs CVEs; this Tenable item is a detection for deprecated protocol support rather than a single KEV candidate.
CVSS reality checkTenable's AV:N/AC:L/PR:N/UI:N framing assumes the worst case. Primary-source CVSS guidance for POODLE shows the opposite shape in practice: high attack complexity and user interaction required because the attacker needs a downgradeable victim session and traffic manipulation.
Affected scopeAny TLS-capable service that still negotiates SSLv2 or SSLv3 is affected. That can include HTTPS, SMTP/IMAP/POP with STARTTLS, LDAPS, VPN portals, appliances, and embedded management planes.
Fixed versions / backportsThere is usually no universal patched version to quote. The fix is to disable SSLv2/SSLv3 negotiation and move to TLS policy that permits only modern protocol versions; distro backports matter only insofar as they expose knobs or crypto-policy packages that enforce that disablement.
Exposure dataTenable stated it identified approximately 5% of servers that support SSL/TLS as still having SSL enabled when it raised severity in 2022. That is big enough to matter operationally, but still far from 'everywhere,' and internal-only findings should be deprioritized versus public auth surfaces.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.6/10)

The single biggest reason this does not deserve a blanket Critical rating is that the practical exploit chain usually requires MITM or protocol-specific cryptographic preconditions, not a direct unauthenticated remote compromise. That sharply narrows both the reachable population and the fraction of real enterprise deployments where exploitation leads to meaningful business impact.

HIGH Downgrade from Tenable Critical to a lower severity
MEDIUM Using MEDIUM as the default bucket across a mixed 10,000-host estate

Why this verdict

  • Vendor score assumes worst-case impact, not real attack friction: Tenable's 9.8 treats deprecated protocol support like straight network compromise, but the common paths are POODLE-style downgrade/MITM or DROWN-style decryption conditions.
  • Attacker position is the major brake: SSLv3 exploitation typically requires a network-on-path position plus a victim session, which implies the attacker is already controlling or intercepting part of the communication path.
  • Exposure population is narrower than the headline suggests: many findings are on internal appliances, legacy middleware, or non-browser services, which means the attacker already has internal access or the traffic value is lower.
  • Modern tooling blocks parts of the chain: browser hardening, HSTS, ECDHE/PFS adoption, SSLv2 removal from libraries, and better TLS defaults all reduce exploitability compared with 2014-2016 assumptions.
  • Still not LOW: if this sits on a public login portal, admin console, or shared-key legacy farm, the confidentiality risk is real and the blast radius can justify elevating those specific assets above the default estate-wide score.

Why not higher?

There is no one-packet remote takeover here. The exploit path usually depends on downgradeability, traffic interception, or RSA/shared-key conditions that are absent in a large share of modern deployments. That combination is too much friction for a default HIGH or CRITICAL rating across an enterprise estate.

Why not lower?

This is not harmless compliance trivia. The protocols are formally deprecated by the IETF, exploitation techniques are well documented, and the finding often lands on exactly the systems that carry credentials and session cookies. On internet-facing auth or admin surfaces, it can quickly graduate from hygiene issue to material confidentiality exposure.

05 · Compensating Control

What to do — in priority order.

  1. Disable SSLv2 and SSLv3 at the edge — Change the TLS policy on the actual termination point first, whether that is the load balancer, reverse proxy, WAF, VPN concentrator, or appliance listener. For a MEDIUM verdict there is no mitigation SLA; fold this into the next routine crypto-hardening change and complete full remediation within 365 days.
  2. Prioritize public auth and admin surfaces — Don't burn cycles treating every internal hit the same. Clear internet-facing login portals, mail/web access gateways, and management consoles first because they are the small subset where the downgrade/decryption path has the best payoff; for the overall MEDIUM bucket there is no mitigation SLA, but those exposed assets should go in the earliest change window.
  3. Break shared-key legacy islands — For SSLv2 specifically, shared certificates or private keys across legacy services can amplify DROWN-style risk. Reissue or segregate keys where needed as part of normal remediation; there is no noisgate mitigation SLA for MEDIUM, but finish the hard fix inside the 365-day remediation window.
  4. Enforce modern cipher and protocol policy centrally — Use OS crypto policy, reverse-proxy templates, or appliance baselines so teams cannot quietly re-enable SSLv3 for 'compatibility'. This prevents reintroduction and is the cleanest way to burn down a broad plugin class within the 365-day remediation window.
What doesn't work
  • Upgrading the application alone does not guarantee closure if the TLS termination point is a load balancer, ADC, or web server module still allowing SSLv2/SSLv3.
  • Relying on MFA does not fix the crypto weakness; it only reduces the payoff if cookies or credentials are stolen.
  • Assuming 'modern clients won't use it' is not sufficient, because the issue is the server's willingness to negotiate the protocol and the resulting downgrade/decryption exposure.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or scanner node that can reach the target service; it does not need to run on the endpoint itself. Invoke it as bash check_ssl_legacy.sh example.com 443; it requires nmap with the ssl-enum-ciphers NSE script and does not require root for standard TCP scanning.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_ssl_legacy.sh
# Detect whether a remote service still negotiates SSLv2 or SSLv3.
# Usage: bash check_ssl_legacy.sh <host> <port>
# Exit codes:
#   0 = VULNERABLE
#   1 = PATCHED
#   2 = UNKNOWN / error

set -u

HOST="${1:-}"
PORT="${2:-}"

if [[ -z "$HOST" || -z "$PORT" ]]; then
  echo "UNKNOWN - usage: bash check_ssl_legacy.sh <host> <port>"
  exit 2
fi

if ! command -v nmap >/dev/null 2>&1; then
  echo "UNKNOWN - nmap is not installed"
  exit 2
fi

TMP_OUT="$(mktemp 2>/dev/null || echo /tmp/check_ssl_legacy.$$)"
trap 'rm -f "$TMP_OUT"' EXIT

# -Pn avoids host discovery issues on filtered networks.
# --script-timeout keeps the check from hanging indefinitely.
if ! nmap -Pn -p "$PORT" --script ssl-enum-ciphers --script-timeout 60s "$HOST" >"$TMP_OUT" 2>&1; then
  echo "UNKNOWN - nmap scan failed"
  cat "$TMP_OUT"
  exit 2
fi

OUTPUT="$(cat "$TMP_OUT")"

# If the script didn't return TLS details, we can't conclude much.
if ! grep -Eq 'ssl-enum-ciphers|TLSv|SSLv' "$TMP_OUT"; then
  echo "UNKNOWN - no SSL/TLS enumeration data returned"
  cat "$TMP_OUT"
  exit 2
fi

if grep -Eq 'SSLv2|SSLv3' "$TMP_OUT"; then
  echo "VULNERABLE - legacy protocol support detected on ${HOST}:${PORT}"
  grep -E 'SSLv2|SSLv3' "$TMP_OUT" | sed 's/^/  /'
  exit 0
fi

if grep -Eq 'TLSv1\.2|TLSv1\.3|TLSv1\.1|TLSv1\.0' "$TMP_OUT"; then
  echo "PATCHED - no SSLv2/SSLv3 support detected on ${HOST}:${PORT}"
  exit 1
fi

echo "UNKNOWN - scan completed but protocol state was inconclusive"
cat "$TMP_OUT"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not let this plugin jump ahead of true unauthenticated RCE or actively exploited KEV items across the estate. Triage all 20007 hits by exposure and business function: move internet-facing login/admin endpoints and shared-key legacy farms into the next change window, then handle the rest as structured crypto debt. For the default MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use that time to disable SSLv2/SSLv3 centrally at the real TLS termination points and close the long tail without creating emergency churn.

Sources

  1. Tenable Nessus Plugin 20007
  2. Tenable severity change discussion for plugin 20007
  3. RFC 6176: Prohibiting SSL 2.0
  4. RFC 7568: Deprecating SSL 3.0
  5. OpenSSL user's guide to DROWN
  6. DROWN technical paper (USENIX Security 2016)
  7. FIRST CVSS v3.1 example: SSLv3 POODLE
  8. DROWN project site
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.