AnsweredAssumed Answered

Inconsistent results scanning sites for Zombie Poodle / OpenSSL 0-Length

Question asked by Erik Ent on Aug 15, 2019
Latest reply on Aug 18, 2019 by Erik Ent


2 sites ("A and B") behind a Netscaler VPX load balancer, different FQDN for each, two servers behind the load balancer for each (A1 and A2, B1 and B2).

 

Getting inconsistent results with one of the sites "B", sometimes the scan will come up flagged for Zombie Poodle / OpenSSL, sometimes it will pass and flag as OK.

 

  • Site A never has come up flagged for Zombie Poodle / OpenSSL, has same cipher suites as site B.
  • Site B, has identical SSL/Cipher setup as site A in the Netscaler.
  • Servers B1 and B2 behind the Netscaler have identical SSL/Cipher suites
  • All Servers behind the Netscaler and also the sites from external pass the TLS CBC Padding Oracle Scanner (GitHub - Tripwire/padcheck: TLS CBC Padding Oracle Checker )

  • immuniweb.com/ssl/ website which scans for for Zombie Poodle / OpenSSL 0-Length passes each time without fail
  • Netscaler VPN has current firmware (NS12.1 51.19.nc)

 

It appears that others are having similar issues as per:

problem about "zombie POODLE" and "OpenSSL 0-length" 

CVE-2019-1559: ssllabs scan returns different results scanning the same server 

How does ssllabs.com check CVE-2019-1559 

 

It appears to me based on the above findings that their must be some inconsistency issue with the Qualys SSL scan as no other tool or website is showing our sites as vulnerable to Zombie Poodle /Open SSL 0-Length unless something proves otherwise.

 

Be interested to find out if others have the same issue or found a reason why

Outcomes