Bernie Weidel

QID 42366 : SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability (CVE-2011-3389)

Discussion created by Bernie Weidel on Nov 20, 2014
Latest reply on Dec 24, 2014 by Jason Johannessen

QID 42366 : SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability (CVE-2011-3389) is reported based on SSLv3.0/TLSv1.0 being detected as enabled with CBC mode. The full recommended solution for QID 42366 is to disable SSLv3.0/TLSv1.0, and use TLSv1.1 or later. If an upgrade to TLS is not currently feasible, a short term mitigation for QID 42366 would be to avoid using CBC mode within SSLv3.0/TLSv1.0, and instead rely on RC4 suites. (Note that RC4 also has some current insecurities, and so the full update to TLSv1.1 or later is strongly recommended)

 

You can leverage the free Qualys SSL Labs tool https://www.ssllabs.com/ to run a quick SSL Test and confirm if your system is fully vulnerable, or if the risk has been ‘mitigated’ by removing CBC from SSLv3.0/TLSv1.0. In such cases this can be approved as a PCI False Positive Request, or should no longer be reported during a re-scan.

Outcomes