This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 94%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMZ%3C/text%3E%3C/svg%3E)
our security team flagged a few of our windows servers as vulnerable to CVE-2019-1559 Zombie POODLE and GOLDENDOODLE.
reading up on it , I think the resolution is to remove all CBC based cipher suites.
is this correct ?
if so, what is the correct way of doing that ?
am i correct in thinking that running the PS cmdlt:
Disable-TLSCipherSuite followed by the CBC cipher suites should achieve that goal ?
thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
This vulnerability is not related to Microsoft product and Windows Server and it might be related to products installed on the Windows Server, it affect if you are running products like F5 or Citrix and you should check what products are affected and look into their support website and take actions.
Windows Server itself is protected against this attack and vulnerabilities affected by products installed on the Windows Server.
I'm not sure why you don't think it relates to Microsoft servers.. IT DOES.
There are a number of ciphers used when a server is creating a secure TLS connection. the ciphers using CBC mode have been identified as vulnerable. as such they need to be avoided . this applies across vendors, Microsoft included
For example for CVE-2019-1559 you may refer to:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
You will notice Microsoft product is not listed because the way Microsoft handle TLS and HTTPS protocol is different and they are not affected by these vulnerabilities. Microsoft already eliminate support for old TLS protocols , take a look at:
https://learn.microsoft.com/en-us/lifecycle/announcements/transport-layer-security-1x-disablement
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
I'm sorry, but i don't think you looked at the question properly and if you did then you are wrong again.
i am not talking about TLS1.0/1.1
i am talking about CBC based cipher suites in TLS1.2
these are affecting windows servers too
I concur with @Reza-Ameri , the CVE you are quoting is not affecting the Windows operating systems as it is an OpenSSL vulnerability and Windows has its own implementation on SSL not based on OpenSSL. As mentioned previously, you can have third-party products installing OpenSSL on a Windows system and that's generaly the third-party app owning the fix (hence the absence of this CVE in the MSRC website).
The vulnerability is neither in the protocol, nor in the algorithms, but in the implementation. It is affecting the OpenSSL's implementation of these protocols and algorithms.
If your security team tagged Windows servers as vulnerable, it is probably because they have one of those third party software bringing OpenSSL in. And in that case, you need to fix the OpenSSL binaries. The cmdLet you mentioned only configures the Windows' implementation. Not touching the OpenSSL binaries.
i opened a case with Microsoft to verify this.
i can see from the CVE details that it is referencing the openssl only. but the qualys scans points to the micorosoft ciphers. it might be a false positive..
i'll update here with their response when i get it
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 63%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHC%3C/text%3E%3C/svg%3E)
Any updates on this yet? I am also getting qualys tickets generated for this vulnerability.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 37%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi Zack, any updates? Want to resolve this issue too. TIA!
@Jccaraan I have an open support case with Qualys on this. Starting with scans running yesterday the tickets are now being marked as closed/fixed without any changes. I am still waiting on a response from Qualys support to see if their engineering team has changed anything. I will update when I get a response.
Thats awesome! will wait. TIA!
Qualys released a fix for a false positive on this QID for cloudflare hosted websites which has also fixed the false positive on 2016 servers with IIS.