[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability https (443/tcp)

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability https (443/tcp)..

Am working for solving this issue in my Windows server 2008 with IIS 7.0 ... Please Guide me with a new solution ..The solutions which are posted doesnt help....
Thanks in advance...
0
exchange_experts
Asked:
exchange_experts
  • 5
  • 4
1 Solution
 
arnoldCommented:
Unfortunately, you did not include the solutions/recommendations you found so it is hard to say what you tried that did not work.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/6cc4d577-fb22-4765-ad91-0c4ad46474fd

The issue deals with a specific cypher. The workaround deals with excluding CBC based ciphers from being at the top of the secure connection negotiation.

from links at the referenced document in the link above.
Microsoft released an update
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
http://support.microsoft.com/kb/2643584
0
 
exchange_expertsAuthor Commented:
Thanks For ur Reply Mr.Arnold... I have added an extra record as given in the Link(http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/6cc4d577-fb22-4765-ad91-0c4ad46474fd)
and i have ordered the ciphers as given in the link (http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx) Used the Work around solution No.1 under Server side fix..
But My issue is yet to be solved .... Pls help.......
0
 
arnoldCommented:
What is the issue?
A scanning tool is to make you aware of an issue it is up to you to determine whether the risk pointed out is a risk you can tolerate.
Excluding all CBC will solve the vulnerability detection, and might stop some clients from being able to access your web site.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
exchange_expertsAuthor Commented:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability https (443/tcp) This is My issue .....and the risk factor is medium....
Could u please let me know how should i exclude all CBC to clear the vulnerability .....
Awaiting for your response
0
 
arnoldCommented:
The links previously listed included regedit direction to remove encryption options that are CBC based. The notice included a warning that It could prevent clients from being able to access your site.
Another reference of a link in the provided earlier.
http://support.microsoft.com/kb/2643584
Were the ms released updates applied?
The below deals with excluding ciphers.
http://support.microsoft.com/kb/245030
0
 
exchange_expertsAuthor Commented:
It has been mentioned "It could prevent clients from being able to access your site." Is that the only way where i can be able to fix the "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability https (443/tcp)" Issue....
There are two ms update , one for IE and one for windows based server so shld i need to apply both .....
0
 
arnoldCommented:
Yes.
0
 
exchange_expertsAuthor Commented:
Please let me know how should i include the excluded ciphers again....
0
 
arnoldCommented:
You would modify the registry and add back the groups corresponding to the cipher.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now