TLS1.0 and TLS 1.1 Deprecated VA issues on SOSS secure port 723 and 724 only

#1
Hi All,

I tried to use Search but got error message.
My question is where can I find configuration setting to mitigate TLS1.0/TLS1.1 vulnerabilities on SOSS port 723/724.
Windows server 2016 registry setting are correct so no such TLS1.0/TLS1.1 on port 443/3389/8172. thanks.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0 both Server and Client
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.1 both Server and Client

correct value shows:
DisableByDefault : 0x00000001(1)
Enabled: 0x00000000(0)
-------------------------------------------

Vulnerability
Medium
Vulnerability Type Id157288
Containment StatusNo Containment Required
DescriptionThe remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1 As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
SolutionEnable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
Exploit AvailableN/A
Source TypeTenable
Details
 

markw

Administrator
Staff member
#2
The ScaleOut service uses the OpenSSL library for TLS (not Windows schannel), so those registry keys won't have an effect.

Version 5.14.1.380 of the ScaleOut service (released 7-Jul-2023) sets the minimum protocol version to TLS 1.2, so it appears that you're running an older version of the ScaleOut service on the machines being scanned.

There isn’t a configuration option in older releases to control supported TLS protocols, so you’ll need to upgrade to a recent ScaleOut release to resolve the alert.
 
Top