Vulnerability scans of the ACOS management interface indicate that the HTTPS service support TLS sessions using TLS 1.0 protocol which is no longer considered capable of providing a sufficient level of security TLS sessions or complying with contemporary PCI (Payment Card Industry) security standards . CVE-2011-3389 (aka BEAST attack) is a commonly referenced CVEs for this issue as the commonplace mitigation for this vulnerability is to disable TLS 1.0 support. Accordingly, the following vulnerabilities are addressed in this document.
|1||tlsv1_0-enabled||Rapid7||4 Severe||TLS Server Supports TLS version 1.0 |
|2||QID: 38628||Qualys||3 Serious||SSL/TLS Server supports TLSv1.0 |
|3||CVE-2011-3389||CVSS 2.0||4.3 Medium||HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) |
The table below indicates releases of ACOS exposed to these vulnerabilities and ACOS releases that address these issues or are otherwise unaffected by them.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
|Releases Affected||Releases Resolved or Unaffected|
|4.1.2, 4.1.1 (a)|
|3.1.0-P1 – 3.1.4||3.1.4-P1|
|3.2.0 – 3.2.1-P1||3.2.2-P1|
|2.8.2 – 2.8.2-P8||2.8.2-P9 (b), 4.1.2 (a, c)|
|2.7.2 – 2.7.2-P10||2.7.2-P11 (b), 4.1.0 (a, c), 4.1.1 (a, c)|
|2.7.1-GR1 – 2.7.1-GR1-P1||2.7.2-P11 (b), 4.1.0 (a, c), 4.1.1 (a, c)|
|2.6.1-GR1 – 2.6.1-GR1-P16||2.7.2-P11 (b), 4.1.0 (a, c), 4.1.1 (a, c)|
(a) Including all updates to the release(s).
(b) Partial Remediation. TLS 1.0, 1.1, and 1.2 are supported.
(c) Full Remediation. TLS 1.2 only is supported.
With the 2.7.2 and 2.8.2 resolved releases, the ACOS HTTPS management service additionally supports TLS 1.1 and 1.2 protocols. These releases continue to support the TLS 1.0 protocol to avoid impacting existing deployment environments with management applications dependent on this cipher.
To fully overcome vulnerability exposures associated with the TLS 1.0 protocol, the ACOS 4.1 resolved or unaffected releases are available for upgrade.
Common security best practices in the industry for network appliance management and control planes can enhance protection against remote malicious attacks. Limit the exploitable attack surface for critical, infrastructure, networking equipment through the use of access lists or firewall filters to and from only trusted, administrative networks or hosts.
Software updates that address these vulnerabilities are or will be published at the following URL:
The following table shares brief descriptions for the vulnerabilities addressed in this document.
|tlsv1_0-enabled||The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.|
|QID: 38628||TLS is capable of using a multitude of ciphers (algorithms) to create the public and private key pairs.
For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE attack.
TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which a TLS implementation can downgrade the connection to SSL v3.0, thus weakening security.
A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a downgrade.
This QID will be marked as a Fail for PCI as of November 1st, 2016 in accordance with the new standards. For existing implementations, Merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation and Migration Plan, which will result in a pass for PCI up until June 30th, 2018.
Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS v1.1 (https://community.qualys.com/message/34120).
|Ref #||General Link|
|||Rapid7: TLS Server Supports TLS version 1.0|
|||QID 38628 - Server Supports TLS 1 Severity 3|
|||PCI Security Standards Council - Information Supplement - Migrating from SSL and Early TLS|
|||NIST NVD, CVE-2011-3389|