Skip navigation
3840 Views 1 Reply Latest reply: Apr 18, 2012 5:54 PM by Bernie Weidel RSS
Juan López Lurker 1 posts since
Mar 16, 2011
Currently Being Moderated

Apr 16, 2012 1:25 PM

SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability - PASS

I havea doubt, why qualys give me a compliance to this vulnerability(CVE-2011-3389 and QID:42366) If this CVE is equal to CVSS 4.3?

Or maybe this is a Brute Force?  But this attack not results in a password lockout.

Other is that is a vulnerability of the client-side but why qualys give me a mitigation for the server?

Tksin advanced.


  • Bernie Weidel Level 2 79 posts since
    Jul 29, 2011

    We are currently performing an in-depth review of this QID to determine the appropriate PCI Status. I believe it will probably be marked as a PCI Failure in the near future. You may want to start investigating possible remediation steps if possible.

     

    You are correct in that this is basically a client side attack (which could play into the PCI Scoring as well), howerver since the risk could allow impersonation of the legitimate user session, this would still need to be remediated on the Server Side, to not allow the weak CBC Mode usage. Security Best Practices indicates Security should be enforced on the Server Side, as you shouldnt rely upon the End User to provide their own security.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points