PCI & SSL/Early TLS QIDs 38601, 42366

by
Igor Obolenskiy
from on (#4B2J7)
PCI_DSS-300x91.jpg

Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:

  • QID 38601 SSL/TLS Use of Weak RC4 Cipher"
  • QID 42366 SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)"
  • Last revision of ASV Program Guide (ver. 3.1) has the following for SSL/TLS component:

A component must be considered non-compliant and marked as an automatic failure by the ASV:
- If it supports SSL or early versions of TLS, OR
- If strong cryptography is supported in conjunction with SSL or early versions of TLS (due to the risk of forced - downgrade' attacks)."

ASV scan customers needed to migrate away from SSL/early TLS by June 30, 2018 as was announced previously in theQualys blog post of April 18, 2017.

Compensating controls could be used in the case where SSL/early TLS is still being used. If the system is found not to be susceptible to particular vulnerabilities, a false positive/exception could be submitted and approved by the ASV, resulting a PCI Pass" for the affected scan component or target host.

ASV Program Guide and PCI DSS are available in the PCI Council Document Library.

External Content
Source RSS or Atom Feed
Feed Location https://community.qualys.com/blogs/securitylabs/feeds/tags/ssl
Feed Title
Feed Link https://community.qualys.com/
Reply 0 comments