← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:31705 · Disclosed 2007-05-09

SSL Anonymous Cipher Suites Supported

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a lock on the door that only fails if someone is already standing in the hallway with a fake keyring

This finding means a TLS service still advertises anonymous key-exchange cipher suites such as ADH or AECDH under SSL/TLS versions up to 1.2. Those suites encrypt traffic but do not authenticate the server, so a client that negotiates them has no cryptographic proof it is talking to the right endpoint. Historically, this mapped to Apache Tomcat 4.1.28-4.1.31, 5.0.0-5.0.30, and 5.5.0-5.5.17 via CVE-2007-1858, but in practice the plugin catches a broader misconfiguration pattern on any TLS service that still offers aNULL suites.

Vendor scoring overstates the operational urgency for most enterprises. The bug is real, but exploitation usually requires man-in-the-middle position plus a client willing to negotiate anonymous suites, and modern browsers, current OpenSSL defaults, Apache mod_ssl, and TLS 1.3 all push hard against that path. For a 10,000-host environment, this is usually TLS hygiene, not an incident-response-grade patch.

"Real risk only appears if an attacker is already on-path and a client still accepts anonymous TLS suites."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Enumerate the exposed TLS service

An attacker starts with nmap --script ssl-enum-ciphers or a direct openssl s_client -cipher aNULL probe to confirm the service accepts anonymous key exchange. This is pure remote enumeration and does not require credentials.
Conditions required:
  • Network reachability to the TLS service
  • Service is using TLS 1.0/1.1/1.2 or older stack behavior
  • Server still advertises aNULL suites
Where this breaks in practice:
  • TLS 1.3 does not use these suites
  • Many server baselines already exclude aNULL by default
  • Internet-wide search engines do not fingerprint this cleanly without active handshake probing
Detection/coverage: Excellent active-scan coverage from Nessus and nmap ssl-enum-ciphers; weak passive coverage unless you log negotiated cipher suites at the server or proxy.
STEP 02

Gain on-path position

The attacker then needs a man-in-the-middle foothold using tools like ettercap, a rogue AP, ARP spoofing, compromised gateway infrastructure, or upstream network control. Tenable explicitly notes this is easier on the same physical network.
Conditions required:
  • Attacker can intercept or redirect client traffic
  • Target communication path is not already strongly segmented or protected by trusted middleboxes
Where this breaks in practice:
  • This is a post-positioning requirement, not a clean unauthenticated remote exploit
  • Enterprise Wi-Fi protections, NAC, switch features, VPNs, and managed network controls often block or limit commodity MITM paths
  • The attacker must be on the path at the right time for the target session
Detection/coverage: Variable. Network IDS, switch telemetry, rogue AP detection, and ARP inspection may catch the positioning attempt; the TLS misconfiguration itself will not.
STEP 03

Rely on a client that still offers anonymous suites

Even with MITM, the attack only works if the client is willing to negotiate ADH/AECDH. Modern mainstream clients usually exclude aNULL, so the attacker often needs a legacy application, outdated JVM, custom embedded client, or a badly tuned crypto policy.
Conditions required:
  • A connecting client still offers anonymous TLS suites
  • No stricter client-side crypto policy blocks aNULL
Where this breaks in practice:
  • This is the single biggest severity suppressor
  • Modern browser fleets generally do not negotiate these suites
  • Many enterprise-managed runtimes and reverse proxies already reject anonymous key exchange
Detection/coverage: Hard to prove centrally unless you capture negotiated cipher suites from server logs, TLS inspection points, or packet capture.
STEP 04

Proxy and tamper with traffic

If the handshake lands on an anonymous suite, the attacker can relay traffic with a TLS proxy such as sslsplit or a custom OpenSSL-based interceptor. At that point confidentiality and integrity assumptions collapse because the client never authenticated the server in the first place.
Conditions required:
  • MITM position remains stable
  • Anonymous handshake actually succeeds
Where this breaks in practice:
  • Blast radius is limited to the specific client sessions the attacker can intercept
  • No direct server-side code execution or persistence comes from this finding alone
Detection/coverage: Application anomalies, duplicate sessions, proxy artifacts, and unexpected cipher-suite telemetry may reveal abuse; most endpoint products will not flag the server misconfiguration itself.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo current active exploitation signal. CISA KEV has no entry for this issue class, and Tenable states no known exploits are available for the mapped record.
Proof-of-concept availabilityTrivial to reproduce in a lab. No flashy RCE exploit is needed; openssl s_client -cipher aNULL and nmap ssl-enum-ciphers are enough to validate exposure.
EPSSN/A. EPSS is a CVE-based model from FIRST; this plugin is primarily a configuration finding, even though Tenable loosely maps it to CVE-2007-1858.
KEV statusNot listed in the CISA KEV catalog; no date added, no ransomware-use flag.
CVSS and what it impliesTenable shows CVSS v3 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and CVSS v2 2.6 LOW sourced from CVE-2007-1858. The important part is AC:H: the attacker still needs favorable conditions, typically MITM plus legacy client support.
Affected version rangesBroadly, any TLS service that still offers aNULL/anonymous DH or ECDH suites under TLS 1.2 or earlier. The historical software range in the mapped CVE is Apache Tomcat 4.1.28-4.1.31, 5.0.0-5.0.30, 5.5.0-5.5.17.
Fixed versions / config stateHistorical Tomcat fixes landed by 4.1.32 / 5.0.31 / 5.5.18. More generally, the fix is configuration: remove aNULL from the enabled cipher string, e.g. explicit !aNULL; Apache mod_ssl documentation notes aNULL, eNULL, and EXP are always disabled there.
Protocol realityTLS 1.3 deprecated anonymous DH suites and cannot negotiate TLS 1.2 cipher suites. This sharply narrows modern exposure to older protocol stacks and legacy compatibility settings.
Scanning / exposure dataThis is scanner-friendly but census-unfriendly. Nessus and nmap detect it well with active handshakes, but there is no clean Shodan/Censys/FOFA banner fingerprint for "supports aNULL" without enumerating server ciphers.
Disclosure / provenanceThe mapped CVE was disclosed on 2007-05-09 per Tenable/NVD. Apache Tomcat changelog entries show the default cipher-set behavior was corrected so non-confidential and non-authenticated suites were no longer used by default.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to LOW (2.8/10)

The decisive factor is attacker position requirement: this is usually a man-in-the-middle problem, not a direct remote compromise path. The second big limiter is client reality — most modern enterprise clients will not negotiate anonymous TLS suites, which collapses the reachable population fast.

HIGH Severity downgrade driven by MITM and legacy-client prerequisites
MEDIUM CVE mapping precision, because the plugin detects a general TLS misconfiguration but borrows scoring from historical Tomcat CVE-2007-1858

Why this verdict

  • Requires on-path access: the attacker usually needs LAN/Wi-Fi/gateway position before the weakness matters, which is compounding downward pressure on severity
  • Requires a legacy client offer: modern browsers and current TLS libraries commonly exclude aNULL, so the exposed population is much smaller than a raw network-scannable bug suggests
  • No direct host takeover: successful abuse compromises session confidentiality/authentication for intercepted traffic, but it does not by itself yield code execution or durable server compromise

Why not higher?

This is not a clean unauthenticated remote exploit against the server. The chain needs both network interception and a client willing to negotiate anonymous suites, and both assumptions fail in a lot of modern enterprise estates. That combination is too much real-world friction for HIGH or CRITICAL.

Why not lower?

It is still a genuine cryptographic exposure, especially on flat internal networks, legacy app segments, appliances, and unmanaged clients. If a compatible client exists and an attacker gets on-path, TLS server identity protection is gone. That is more than paperwork, so IGNORE is too soft.

05 · Compensating Control

What to do — in priority order.

  1. Remove aNULL from cipher policy — Explicitly exclude anonymous suites at the service, proxy, or platform crypto-policy layer so the issue disappears regardless of certificate state. For a LOW finding there is no SLA — treat as backlog hygiene and fold it into the next TLS baseline update.
  2. Prioritize internet-facing and shared-network services — Start with externally reachable systems, guest/shared Wi-Fi segments, and legacy internal apps where on-path interception is more plausible. For LOW, there is no mitigation SLA; clean these up during normal hardening rather than interrupting emergency patch lanes.
  3. Log negotiated cipher suites — If your reverse proxy, load balancer, or web tier can log the negotiated TLS cipher, turn it on temporarily to spot any real client dependency on anonymous suites before you change policy. For LOW, do this opportunistically as part of routine crypto hygiene.
  4. Reduce legacy protocol exposure — Where possible, prefer TLS 1.2/1.3-only policies and retire compatibility modes that keep old cipher negotiation alive. This is a structural cleanup task, so for LOW it belongs in normal engineering backlog, not emergency change windows.
What doesn't work
  • Rotating or replacing certificates alone does not help; anonymous suites bypass server-authentication entirely.
  • EDR on the server does not mitigate the core problem; the weakness is in TLS negotiation before application trust is established.
  • Relying on "strong encryption" labels misses the point; anonymous DH can still encrypt while failing authentication, which is the real bug.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or scanner host that can reach the target TLS port directly. Invoke it as ./check_anonymous_tls.sh app.example.com 443 with no special privileges; it tests direct TLS sockets only, not STARTTLS protocols.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_anonymous_tls.sh
# Detect whether a TLS service accepts anonymous cipher suites (aNULL).
# Usage: ./check_anonymous_tls.sh <host> <port>
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN

set -u

HOST="${1:-}"
PORT="${2:-}"

if [[ -z "$HOST" || -z "$PORT" ]]; then
  echo "UNKNOWN - usage: $0 <host> <port>" >&2
  exit 2
fi

if ! command -v openssl >/dev/null 2>&1; then
  echo "UNKNOWN - openssl not found" >&2
  exit 2
fi

# Make sure the local OpenSSL build actually has anonymous ciphers compiled in.
if ! openssl ciphers 'aNULL:@SECLEVEL=0' >/dev/null 2>&1; then
  echo "UNKNOWN - local OpenSSL cannot test aNULL suites" >&2
  exit 2
fi

probe() {
  local proto="$1"
  local out rc
  out="$(timeout 10 openssl s_client -connect "${HOST}:${PORT}" -servername "$HOST" -cipher 'aNULL:@SECLEVEL=0' "$proto" < /dev/null 2>&1)"
  rc=$?

  # Success indicators: handshake completed and a real cipher was selected.
  if [[ $rc -eq 0 ]] && grep -Eq 'Cipher is [A-Za-z0-9_-]+' <<<"$out" && ! grep -Eq 'Cipher is \(NONE\)|no cipher match|handshake failure|no shared cipher' <<<"$out"; then
    echo "VULNERABLE - ${HOST}:${PORT} accepted anonymous cipher suite with ${proto#-}"
    return 0
  fi

  return 1
}

# Test TLS versions where anonymous suites are relevant.
for proto in -tls1 -tls1_1 -tls1_2; do
  if probe "$proto"; then
    exit 0
  fi
done

# If all probes failed cleanly, treat as patched/non-vulnerable.
echo "PATCHED - ${HOST}:${PORT} did not accept anonymous cipher suites in tested TLS modes"
exit 1
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: verify whether these findings are concentrated on internet-facing endpoints, legacy Java/Tomcat stacks, appliances, or flat internal segments; if not, do not burn your emergency patch lane on them. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA — treat as backlog hygiene; document the rationale now, then remove aNULL support in the next normal TLS-hardening cycle and validate with an active cipher scan after the change.

Sources

  1. Tenable Nessus Plugin 31705
  2. NVD CVE-2007-1858
  3. Apache Tomcat 5.5 changelog
  4. OpenSSL cipher string documentation
  5. RFC 5246 - TLS 1.2
  6. RFC 8446 - TLS 1.3
  7. Apache mod_ssl documentation
  8. Nmap ssl-enum-ciphers script documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.