AnsweredAssumed Answered

SSL Pulse - CVE-2014-0224

Question asked by Robbie Roberts on Oct 29, 2014
Latest reply on Oct 29, 2014 by Ivan Ristić

We use A10 load balancers to offload our SSL, the SSL test against our URL shows we are vulnerable to this however I spoke to the A10 team to obviously find out there proposed fix. a few days later I got the below response. They seem to have provided a fix but the SSL test is still seeing us as vulnerable. could someone take a look please. I am more than happy to privately provide the url and some traces is required.

 

 

From A10:

Regarding your security scan, after analyzing your trace and researching past cases, we noticed this is a known behavior.

Essentially most SSL scanners look for the Fatal Alert message in response to the ChangeCipherSpec issue.

I tested this on an existing server I have, the OpenSSL on that does indeed send a Fatal Alert.

 

However, the A10 Thunder version of OpenSSL, which is patched by our developers here, will send a FIN packet to the client if it sends the ChangeCipherSpec incorrectly or out of order.

Some SSL testers don’t seem to accept this, even though it is valid against the vulnerability.

Would it be possible to find a tester that accepts this behavior? Try that and see if it passes your site.

Outcomes