CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
  1. Support
  2. Vulnerability Management

Correcting SSL/ Early TLS Vulnerabilities

Background:

As of July 1, 2018, SSL/early TLS should not be used as a security control to meet PCI DSS requirements. This is an industry-wide mandate defined by the Payment Card Industry Data Security Standard (PCI DSS). TLS v1.1 or higher are more secure protocols which protect your business and your customers. For more information regarding this industry mandate, see the Reference Links at the end of this article, or view this video.

If you have previously submitted a scan dispute with a Risk Mitigation and Migration Plan for addressing SSL/early TLS, you have acknowledged that your business uses the SSL or early TLS controls and agreed to update them by the June 30, 2018 deadline. Beginning July 1, 2018 a Risk Mitigation and Migration Plan will not prevent you from a failing scan.

Video: SSL/Early TLS – High Level Overview

How to identify if you are using SSL/Early TLS:

  1. Navigate to the Portal and log in to your account

    • You can use the "I forgot my username/password" links if you need a reminder of your login credentials.

  2. At the dashboard, select "Scanning' from the toolbar.

    • You will see the results of your most recent scan in the main screen.

  3. Review the IP address/URL being scanned to ensure this is correct and up-to-date for your payment environment.

  4. Click on each vulnerability to learn if SSL/early TLS is listed as a compliance issue. These will be listed as one of the following:

    • SSLv3 Supported
    • TLSv1.0 Supported
    • SSL version 3 protocol padding-oracle attack (POODLE)

    You can also download the scan report in PDF format.

  5. For each of these that were flagged on your scan, find the port number, note it down, and see the guidance about next steps. (Your portal view may have a slightly different look depending on your program.)

If you have SSL/Early TLS vulnerabilities:

Eliminating SSL/Early TLS can seem complicated, but like any problem just take it step by step.

The first step is to figure out what systems or applications are using SSL/Early TLS. Depending on how your network is set up, the issue could be in one or more places.

The scan report will tell you where SSL/early TLS is being used, by telling you which port we have found this vulnerability on.

Below we have listed some common sources of the problem. Note that you these may not exactly match what you see in the report or network configuration. Your systems probably do not use all of the ports listed and they might use other ports.

Guidance By Port

Video: Finding the port number (Your portal view may have a slightly different look depending on your program.)

When you are scanning a domain (website):

  • Port 443: your hosted website allows connections using SSL/Early TLS. Work with your hosting provider to have SSL/Early TLS disabled.

When you are scanning an IP address (physical location):

The ports listed below are most often used by the devices or applications listed. For advice about each type of device, click the device name link to go to the section below.

If the port is not on the list, see the Port Not Listed section.

Port Device or application
21 FTP
25 Email
80 Web/admin
110 Email
143 Email
443 Web/admin
465 Email
587 Email
3389 RDP
4433 Web/admin
8000 DVR/Camera
8080 Web/admin
DVR/Camera
8443 Web/admin
10443 DVR/Camera
20443 DVR/Camera
30443 DVR/Camera
60443 DVR/Camera
50001 Cable or DSL modem
60001 Cable or DSL modem

  • Web Admin: This is usually the administration website page of a modem or router on premise. The suggested action is to log in to that device and turn off the access to the admin page from the "WAN" or Internet side. You can usually leave access open from Local Area Networks (LAN) and USB ports.

    • If your internet service provider (ISP) owns or manages the modem, they may opt to put a firewall behind it. Note: Once the firewall is implemented, your scans may still fail. In these situations, you may need to submit a dispute to address the failing.

  • Cable/DSL Modem: This is likely a maintenance port of a cable modem or DSL modem on premise. The suggested action is to log in to that device and turn off the access to the admin page from the "WAN" or Internet side. You can usually leave access open from Local Area Networks (LAN) and USB ports.

    • If your internet service provider (ISP) owns or manages the modem, they may opt to put a firewall behind it. Note:Once the firewall is implemented, your scans may still fail. In these situations, you may need to submit a dispute to address the failing.

  • Email: These ports are used by email servers. If the scan finds SSL vulnerabilities on these ports, then there is likely an email server on your network. If you have a business need for this email server, you must update it to disable SSL/Early TLS. Usually you can do this by updating the server settings. You might need to update the software. For assistance with some common software, see the links below (external sites):

  • Remote Desktop Protocol (RDP): This port is almost always a remote login for Microsoft Windows computers. If this port is detected, then most likely your router is configured to allow access from the internet to a specific computer inside the network. The easiest and most secure action is to block the port. However, before blocking the port you should find out if it is needed by a remote IT management resource. If the port needs to be open for business reasons, you will need to apply some Windows Updates to the Windows system(s), and make changes in the Windows Registry to disable SSL/Early TLS.

    • NOTE: Unless multifactor authentication is enabled, running remote connectivity services (such as Remote Desktop and/or VNC) is considered non-compliant if the system is in the cardholder data environment (CHDE).

  • DVR/Camera system: These ports are often used for remote Closed Circuit Television (CCTV) monitoring of a building or room. Usually these ports should remain open if live monitoring of a business is needed. The recommended action is to make sure that the device is segmented (isolated) from the cardholder data environment. Talk to an IT specialist to determine if network segmentation is in place, or for assistance in setting it up. In these situations, you may need to submit a dispute to address the failing.

  • FTP: This port is almost always a FTP server utilizing SSL encryption. If you have a business need for this application, you must update it to disable SSL/early TLS. Usually you can do this by updating the server settings. You might need to update the software. In many cases, FTP applications use the Operating System's SSL components. This means that the upgrade procedure would be done to the operating system and not a specific software package. For assistance with some common software, see the links below (external sites):

Port Not Listed

If the affected port is not on the list above, you will need to identify where the SSL/early TLS is coming from. You can try navigating to it in a web browser using the following formula: https://<IP>:<port>

  • For example, if your scan report shows that you had vulnerabilities discovered on port 719 of IP address 203.0.113.57, you would construct the following URL in your web browser: https://203.0.113.57:719.
  • If a web page is displayed, scan for any information which may help identify what device the SSL/Early TLS is coming from.
    • Look for anything that might identify the name of a service provider, vendor, or any other third-party entity which may have a presence in your environment.
  • Important note: The above procedure will only work for SSL/Early TLS on websites. Instances detected on non-website physical environments cannot be identified using the above procedure. These devices could be VPNs, POS machines or FTP servers. In these cases, contact an IT specialist to help determine the source.

Reference links

Trustwave video references

(Your portal view may have a slightly different look to that shown in the demo videos depending on your program.)