tenable:73459 · SSL Certificate Chain Contains RSA Keys Less Than 2048 bits (P...

01 · The Real Story

This is an old padlock on the front gate, not a door that swings open by itself

Tenable plugin 73459 fires when a remote TLS service presents at least one X.509 certificate in the served chain whose RSA modulus is under 2048 bits. That usually means a 1024-bit leaf or intermediate certificate on legacy web admin planes, embedded devices, old Java stacks, or private PKI chains. The plugin is configuration-driven, not product-specific, so there is no affected software version range; the affected population is any endpoint currently serving a weak-RSA certificate chain.

Tenable's MEDIUM label is defensible for compliance and interoperability, but it overstates near-term exploitability for most enterprise patch queues. In the real world, an attacker still needs either a cheap-to-factor key size like 512/768, or a much harder 1024-bit factoring effort plus a man-in-the-middle position, DNS/BGP control, or some other traffic-redirection foothold before this turns into impact. For the common 1024-bit case, this is more often a trust failure and modernization issue than a Monday-morning breach driver.

"Mostly a crypto-hygiene and trust-break problem, not a practical mass-exploitation path."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Enumerate the weak chain with openssl or zgrab2

The attacker connects to the exposed TLS service and captures the presented certificate chain. Tools like openssl s_client, zgrab2, nmap --script ssl-cert, or Censys-style Internet scanning make this trivial for any public endpoint.

Conditions required:

The service must be reachable over the network
TLS must be enabled and present the weak certificate chain

Where this breaks in practice:

Internal-only management planes are not reachable from the Internet
Many findings live on niche appliances, printers, or private PKI services with limited exposure

Detection/coverage: Very high coverage. Nessus, Nmap ssl-cert, Qualys, and basic PKI inventory tooling all detect this cleanly.

STEP 02

Exploit the weak key with CADO-NFS/msieve or a vendor-default cert problem

If the served certificate uses a very small RSA key, the attacker can attempt offline factorization of the public modulus to recover the private key. In the more realistic 1024-bit case, this is not a commodity attack; it is expensive and usually not worth doing unless the target is high-value or the device ships with a known shared/default certificate.

Conditions required:

The weak certificate must use an actually tractable key size or be otherwise reproducible
The attacker must have compute resources or a shared-key shortcut

Where this breaks in practice:

1024-bit RSA is weak by policy but still nontrivial to break in ordinary criminal operations
Most enterprises will never face an attacker willing to spend that effort just for one legacy cert

Detection/coverage: No direct scanner will tell you if the private key has been derived. Detection is indirect: cert reuse, shared cert fingerprints, and anomaly monitoring.

STEP 03

Gain a man-in-the-middle position with ettercap, rogue AP, or DNS/BGP tampering

Possessing the private key does not automatically create impact. The attacker still needs to intercept traffic, redirect clients, or stand up a spoofed endpoint that clients will accept as the legitimate service.

Conditions required:

Attacker must control a network position, name resolution, routing, or client trust path
Victim clients must connect to the spoofed or intercepted service

Where this breaks in practice:

This is a post-initial-access or advanced-position requirement in many enterprise environments
WPA-Enterprise, NAC, managed DNS, HSTS, VPNs, and segmentation raise the bar

Detection/coverage: Medium. DNS logging, ARP anomaly detection, TLS fingerprint drift, and network IDS may catch the interception stage, not the weak cert itself.

STEP 04

Impersonate the service and harvest secrets

With the right position and a usable private key, the attacker can impersonate the remote service to capture credentials or decrypt sessions that rely on certificate authentication. Impact is usually limited to that service or trust domain, not broad host takeover by itself.

Conditions required:

Clients must trust the forged session enough to send credentials or sensitive data
The target application must rely on the compromised certificate for server authentication

Where this breaks in practice:

Modern TLS with ECDHE reduces passive decryption value if the attacker only records traffic later
This does not directly yield code execution on the server

Detection/coverage: Low-to-medium. You are more likely to detect odd cert reuse, cloned endpoints, or auth anomalies than the cryptographic abuse itself.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation evidence found for this Tenable finding class. This is a weak-configuration condition, not a tracked exploit campaign.
CISA KEV	Not applicable. This is not a CVE-backed software flaw, so there is no KEV entry to anchor emergency action.
PoC availability	Enumeration is trivial with `openssl s_client`, `nmap --script ssl-cert`, and `zgrab2`. Exploitation is not turnkey for the common `1024-bit` case; practical abuse usually needs offline factorization tooling like `CADO-NFS` plus a MITM position.
EPSS	N/A. EPSS is CVE-centric and does not meaningfully score a generic weak-certificate finding.
CVSS and what it misses	Tenable scores it `5.3` (`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`). That captures remote reachability, but misses the real friction: weak-key exploitation still needs cryptanalysis and usually traffic interception.
Affected scope	Any TLS service currently presenting an RSA certificate under 2048 bits in the served chain: public web sites, admin portals, load balancers, Java middleware, appliances, printers, and private PKI endpoints.
Fixed state	Reissue the chain with `RSA >= 2048` or move to `ECDSA P-256/P-384`. For public TLS, CA/B baseline rules require RSA modulus size of at least 2048 bits; for Apple trust, sub-2048 RSA TLS certs are not trusted.
Exposure data	Internet exposure exists, but exploitability is uneven. A Concordia/Censys-based measurement found many device classes still used `1024-bit` RSA certs, including `124,918` infrastructure routers (`78%` of that device slice) and `12,974` Alexa Top 1M sites (`2%`) in the studied population. That tells you this is common legacy debt, not rare zero-day tradecraft.
Disclosure / reporting	Tenable published plugin `73459` on 2014-04-10. The issue itself is standards-driven, tied to CA/B and NIST cryptographic transition guidance rather than a single researcher discovering a new exploit.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.1/10)

The decisive downshift is that a weak RSA certificate is not self-executing: for the common 1024-bit case, the attacker still needs substantial cryptanalytic effort and usually a man-in-the-middle position before any business impact appears. This finding also has a narrow blast radius because it affects the trust boundary of the specific TLS service, not direct code execution on the server.

HIGH Generic severity downgrade for the common `1024-bit` enterprise case

MEDIUM Environment-specific urgency if the exposed service is public-facing identity, VPN, or admin infrastructure

LOW Exact exploitability without knowing whether the weak key is `512`, `768`, `1024`, or `1536` bits

Why this verdict

Attacker position required: meaningful abuse usually needs unauthenticated remote reachability plus a second-stage MITM/interception foothold, which compounds downward pressure versus the vendor baseline.
Population narrowing: many hits are on internal-only or low-value appliance interfaces, not Internet-facing crown-jewel apps, so reachable exposure is smaller than the raw scan count suggests.
Exploit friction: 1024-bit RSA is policy-weak, not commodity-broken. The technical finding is real, but the path from detection to attacker payoff is expensive and unreliable for routine criminal activity.

Why not higher?

There is no direct RCE, privilege escalation, or one-packet compromise here. Even after identifying the weak chain, an attacker still has to solve a hard practical problem: derive or otherwise obtain the private key and then control traffic flow or client trust well enough to impersonate the service.

Why not lower?

This is still not noise. Weak RSA in live TLS chains creates compliance exposure, future compatibility breakage, and a real impersonation risk on high-value or interceptable paths, especially on public-facing admin planes and legacy private PKI.

05 · Compensating Control

What to do — in priority order.

Inventory every weak-RSA endpoint — Pull the full set of hosts matching plugin 73459, then tag each by exposure: Internet-facing, internal user-facing, and admin-only. For a LOW verdict there is no SLA, so treat this as backlog hygiene; still, do the inventory in the next routine PKI review so you know which exceptions are on exposed edge systems.
Prioritize edge and admin plane certificates — Rotate public web, VPN, IdP, load balancer, and management-interface certs before low-value internal services because those are the few places where a MITM path is plausible. For LOW, there is no mitigation SLA and no remediation SLA; fold this into the next scheduled certificate maintenance window rather than preempting zero-day work.
Reissue with strong defaults — Standardize issuance templates on RSA 2048/3072 or ECDSA P-256/P-384, and remove legacy CSR scripts that still generate 1024-bit keys. For a LOW finding, do this during normal renewal or platform refresh unless the affected endpoint is public-facing authentication infrastructure.
Harden interception paths — Because this finding only matters when traffic can be redirected or spoofed, keep DNS protections, NAC, Wi-Fi security, HSTS, and segmentation healthy. That reduces the already-limited attack path while you clean up the cert debt in ordinary maintenance cycles.

What doesn't work

Installing a WAF does not fix a weak certificate chain; the cryptographic weakness is in the server identity material, not the HTTP request path.
Disabling old TLS versions alone does not address this finding; you can run TLS 1.2/1.3 and still present a sub-2048 RSA cert.
Relying on 'it's internal only' is weak reasoning by itself; this lowers urgency, but insiders, rogue devices, and post-compromise interception paths still exist.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump host that can reach the target TLS service over the network. Invoke it as ./check_weak_rsa_chain.sh example.org 443; no root is required, but openssl must be installed and outbound connectivity to the target host:port is needed.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_weak_rsa_chain.sh
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

HOST="${1:-}"
PORT="${2:-443}"
TIMEOUT_BIN="$(command -v timeout || true)"
OPENSSL_BIN="$(command -v openssl || true)"

if [[ -z "$HOST" ]]; then
  echo "Usage: $0 <host> [port]"
  echo "UNKNOWN"
  exit 2
fi

if [[ -z "$OPENSSL_BIN" ]]; then
  echo "openssl not found"
  echo "UNKNOWN"
  exit 2
fi

TMPDIR="$(mktemp -d 2>/dev/null || mktemp -d -t weakrsa)"
CHAIN_FILE="$TMPDIR/chain.pem"
trap 'rm -rf "$TMPDIR"' EXIT

CONNECT_CMD=("$OPENSSL_BIN" s_client -connect "${HOST}:${PORT}" -servername "$HOST" -showcerts -verify 10)

if [[ -n "$TIMEOUT_BIN" ]]; then
  OUTPUT="$($TIMEOUT_BIN 15 "${CONNECT_CMD[@]}" 2>/dev/null)"
  RC=$?
else
  OUTPUT="$(${CONNECT_CMD[@]} 2>/dev/null)"
  RC=$?
fi

if [[ $RC -ne 0 || -z "$OUTPUT" ]]; then
  echo "Failed to connect or no TLS chain returned from ${HOST}:${PORT}"
  echo "UNKNOWN"
  exit 2
fi

printf '%s
' "$OUTPUT" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > "$CHAIN_FILE"

if [[ ! -s "$CHAIN_FILE" ]]; then
  echo "No certificates extracted from TLS handshake"
  echo "UNKNOWN"
  exit 2
fi

awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} {print > ("'$TMPDIR'" "/cert_" n ".pem")}' "$CHAIN_FILE"

FOUND=0
CERTS=0
DETAILS=()

for cert in "$TMPDIR"/cert_*.pem; do
  [[ -f "$cert" ]] || continue
  CERTS=$((CERTS+1))

  PUBINFO="$($OPENSSL_BIN x509 -in "$cert" -noout -text 2>/dev/null)"
  SUBJECT="$($OPENSSL_BIN x509 -in "$cert" -noout -subject 2>/dev/null | sed 's/^subject=//')"

  if echo "$PUBINFO" | grep -q "Public Key Algorithm: rsaEncryption"; then
    BITS="$(echo "$PUBINFO" | sed -n 's/.*Public-Key: (\([0-9][0-9]*\) bit).*/\1/p' | head -n1)"
    if [[ -n "$BITS" ]]; then
      DETAILS+=("RSA ${BITS} bits :: ${SUBJECT}")
      if (( BITS < 2048 )); then
        FOUND=1
      fi
    else
      DETAILS+=("RSA unknown bits :: ${SUBJECT}")
    fi
  else
    ALG="$(echo "$PUBINFO" | sed -n 's/.*Public Key Algorithm: \(.*\)$/\1/p' | head -n1 | xargs)"
    DETAILS+=("${ALG:-non-RSA} :: ${SUBJECT}")
  fi
done

if (( CERTS == 0 )); then
  echo "No parsed certificates found"
  echo "UNKNOWN"
  exit 2
fi

printf '%s
' "${DETAILS[@]}"

if (( FOUND == 1 )); then
  echo "VULNERABLE"
  exit 1
else
  echo "PATCHED"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not let this displace active-exploitation work. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene, but immediately sort the findings so public-facing sites, VPNs, IdPs, and appliance admin planes get moved into the next scheduled PKI maintenance window, while the rest can ride normal certificate renewal. If you discover any 512/768-bit keys or a weak cert on a crown-jewel externally exposed auth surface, break glass and accelerate that specific host outside the normal queue.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.