troubleshooting Question

Verifying if VA scan's vulnerabilities are false positives

Avatar of sunhux
sunhux asked on
SecurityVulnerabilitiesSSL / HTTPSNetwork Security* tls/ssl
3 Comments2 Solutions542 ViewsLast Modified:
We run our McAfee Vulnerability Mgr scan against a Windows 2012 R2 & the report
indicated it's a Win 2016 (which I don't know why the wrong OS is given) & it gives 3
vulnerabilities below (which my Wintel colleague says are not applicable for Win2012
R2) which I'm trying to verify if they are false positives.

Without installing any tool on the server, how can I verify if they're false +ves :

1) SSLv3 Information Disclosure Vulnerability [FID 17281]
2) TLS/SSL RC4 Cipher Suites Information Disclosure Vulnerability [FID 18179]
3) SSL/TLS Protocol Triple-DES Information Disclosure Vulnerability [FID 20465]

I have openssl client on my laptop but I can run it against that server as the
firewall blocks tcp443 from my laptop to that server :
   openssl s_client -connect  that_server_IP:443

I'm not allowed to install any tool as well on other servers in the same subnet
as that server as well;  so is there any native (ie built-in) ways to check ?
Join our community to see this answer!
Unlock 2 Answers and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros