Hi,
I ran a Trsutwave PCI scan on my environment after I had just implemented a new Exchange Certificate SHA-2. I have 2 CAS and 2 DAG Exchange 2010 Std servers. I noticed my 2 DAG and 1 CAS Exchange Servers have IE 9 and 1 of my CAS servers have IE 8. not sure if this is why the scan failed? Also, will upgrading my IE to 11 on all four Exchange servers affect anything?
Below are the details of the failed scan.
#1 Vulnerability SSLv3 Supported
Note to scan customer:
SSL v3.0 violates PCI DSS and is considered an automatic failing
condition.
Port: tcp/443
This service supports the use of the SSLv3 protocol. The SSLv3 protocol
has known cryptographic weaknesses that can lead to the compromise
of sensitive data within an encrypted session. Additionally, the PCI SSC
and NIST have determined that the SSLv3 protocol no longer meets the
definition of strong cryptography.
CVE: CVE-2014-3566
NVD: CVE-2014-3566
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: microsoft:iis
#2 Vulnerability TLSv1.0 Supported
Note to scan customer:
This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.
Port: tcp/443
This service supports the use of the TLSv1.0 protocol. The TLSv1.0
protocol has known cryptographic weaknesses that can lead to the
compromise of sensitive data within an encrypted session. Additionally,
the PCI SSC and NIST have determined that the TLSv1.0 protocol no
longer meets the definition of strong cryptography
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: microsoft:iis
#3 Vulnerability SSL/TLS Weak Encryption
Note to scan customer:
This vulnerability is not recognized in the National Vulnerability
Database
Algorithms
Port: tcp/443
The SSL-based service running on this host appears to support the use
of "weak" ciphers such as:
- Ciphers suites that have key-lengths of less than 128 bits.
- Ciphers suites using anonymous Diffie-Hellman algorithms (no
authentication).
- Ciphers suites offering no encryption.
- Ciphers suites using pre-shared keys.
- Ciphers suites using RC4 or MD5.
Please note that this vulnerability CANNOT be disputed using a Risk
Mitigation and Migration plan. This is a separate finding and must be treated as such.
CVE: CVE-2013-2566, CVE-2015-2808
NVD: CVE-2013-2566, CVE-2015-2808
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N
Service: microsoft:iis
Any suggestions on how to remedy this?
Thanks!