AnsweredAssumed Answered

Qualys Cloud Agent - QID to identify TLS 1.0

Question asked by Chris Johnson on Apr 22, 2018
Latest reply on May 15, 2018 by Tobias Voegele

Does anyone know if Qualys created a QID to identify cloud agents that will be impacted by the upcoming TLS 1.0 deprecation listed on the login page? Also, I noticed the bulletin has changed, it did include information on Windows 7 and 2008 R2 updates required. Can qualys confirm what must be done of each OS? I included a list of common WIndows OS and what I think the bulletin is saying, can someone confirm?

 

From the bulletin:

Cloud Agent Windows utilizes cryptographic protocol support provided by the Windows operating system.  Older Windows operating system (including Windows XP, Embedded Standard, Server 2003/SP2, Server 2008/SP1/SP2, and potentially others if explicitly configured) do not have TLS 1.1+ support on the operating system for Cloud Agent to utilize.

 

Example OS's

 

OK per Bulletin, no change required
Microsoft Windows 10 Enterprise
Microsoft Windows 10 Enterprise 10.0.14393 N/A Build 14393
Microsoft Windows 10 Enterprise 10.0.16299 N/A Build 16299
Microsoft Windows 7 Enterprise
Microsoft Windows 7 Enterprise 6.1.7601 Service Pack 1 Build 7601
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601
Microsoft Windows Server 2008 R2 Datacenter 6.1.7601 Service Pack 1 Build 7601
Microsoft Windows Server 2008 R2 Enterprise 6.1.7601 Service Pack 1 Build 7601
Microsoft Windows Server 2008 R2 Standard 6.1.7601 Service Pack 1 Build 7601
Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2012 R2 Datacenter 6.3.9600 N/A Build 9600
Microsoft Windows Server 2012 R2 Standard
Microsoft Windows Server 2012 R2 Standard 6.3.9600 N/A Build 9600

 

NOT OK Per Bulletin, must be updateed/patched to support TLS 1.1+
Microsoft Windows Embedded Standard 6.1.7601 Service Pack 1 Build 7601
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790 Service Pack 2 Build 3790

 

I did find the following QID and ran them in asset view and found all our Windows 7 machines are reporting on the TLS 1.1/1.2 missing QID 91445

 

38628 - SSL/TLS Server supports TLSv1.0
vulnerabilities.vulnerability.qid:(38628) and tags.name:cloud agent

 

91282 - Microsoft RDS support for TLS 1.1 and TLS 1.2 Missing (KB3080079)
vulnerabilities.vulnerability.qid:(91282) and tags.name:cloud agent

 

91445 - Microsoft WinHTTP support for TLS 1.1 and TLS 1.2 Missing (KB3140245)
vulnerabilities.vulnerability.qid:(91445) and tags.name:cloud agent

 

91446 - Microsoft Windows support for TLS 1.1 and TLS 1.2 Missing (KB4019276)
vulnerabilities.vulnerability.qid:(91446) and tags.name:cloud agent

Outcomes