Leonardo Barbosa

SSL/TLS Server supports TLSv1.0 port 443

Discussion created by Leonardo Barbosa on Jan 11, 2017
Latest reply on Jan 12, 2017 by Ian Johnson

Hello All

 

We were unable to resolve the vulnerability on our servers, how could we proceed with this anyone has any solution for it?

 

SSL/TLS Server supports TLSv1.0      port 443 and  80

 

 

 

We cant disable TLSv1.0 on windows server how could we proced with it?

 

3 SSL/TLS Server supports TLSv1.0 port 443/tcp over SSL

QID: 38628

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Service Modified: 07/14/2016

User Modified: -

Edited: No

PCI Vuln: No

Ticket State:

THREAT:

TLS is capable of using a multitude of ciphers (algorithms) to create the public and private key pairs.

For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.

RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE attack.

TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which a TLS implementation can downgrade the connection to

SSL v3.0, thus weakening security.

A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a

downgrade.

This QID will be marked as a Fail for PCI as of November 1st, 2016 in accordance with the new standards. For existing implementations,

Merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation and Migration Plan, which will

result in a pass for PCI up until June 30th, 2018.

Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS v1.1 (https://community.qualys.com/message/34120)

IMPACT:

An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks or to decryption communications.

For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0 protocol and exploit the POODLE vulnerability, read

secure communications or maliciously modify messages.

A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a

downgrade.

SOLUTION:

Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

COMPLIANCE:

Not Applicable

EXPLOITABILITY:

There is no exploitability information for this vulnerability.

Scan Results page 82

ASSOCIATED MALWARE:

There is no malware information for this vulnerability.

RESULTS:

TLSv1.0 is supported

Outcomes