Nessus Vulnerability: SSL Weak Cipher supported (3071/tcp)

Vulnerability : SSL Medium Strength Cipher Suites Supported -Medium [Nessus] [csd-mgmt-port (3071/tcp)]
 
Description :
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
 
Fix :
Reconfigure the affected application if possible to avoid use of medium strength ciphers.


The output of the Nessus report will show what ports have been detected to have vulnerabilities. In my case the findings were located on "3071/tcp" with 8 plugins/ID's on this same port. The problem with the report is that it doesn't show you how to fix or resolve the problem other than "Reconfigure the affected application", OK!, Which application has the known vulnerability?. Just by looking at the details of the report I really couldn't figure out which one was causing the findings.

After a few google attempts and registry hacks I wasn't making any progress. Then I remembered from my Cisco/Networking years, some things you just never forget...slow to recall at times but still there, that each OS tracks applications that are running that require network connectivity or not. Sooo...I know the port I'm looking for 3071, then I jumped onto a XP box, This also applies to Windows 2008/W7, go to the command line and run "NETSTAT -ano" and a list of all the applications is shown.

• Go to the command prompt (Start>Run>cmd)
• Enter netstat -ano
• You will get a report of Active Connections
• Report includes: Protocol, Local Address, Foreign Address, State, PID
• e.g.
  • Proto Local Address Foreign Address State PID
  • UDP 127.0.0.1:3071 *:* 3071
• Scroll down through the list until you find x.x.x.x:3071 in the LISTENING state.
• Write down the PID (process identifier) associated with port 3071 (Also note the Local Address, Foreign Address, Protocol and State.)

 

• Next, start the Windows Task Manager, Select the Processes tab in Task Manager and search for the PID you wrote down previously and Whala! that's your application that's causing the vulnerability to be flagged!
• In my case it was JAVAW.EXE, Dell had loaded a RAID software management program that started javaw.exe each time the workstation was started. I simply followed the path to the file and renamed the one particular file to "JAVAW.OLD". restarted the workstation, reran the Nessus scan and the Vulnerability was gone and the program continued to function without a problem!
  
  HOPE THIS HELPS!
  
  NOTE: Same thing happened on one of my Windows2008 R2 Servers running CA ArcServe. I followed the same steps and AGAIN! Java.exe was the culprit. renamed "Java.exe" to "Java.old" and CA ArcServe continued to run without a problem. 
  
• netstat parameter -s displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6