AnsweredAssumed Answered

Qualys Failing PCI Scans due to CVE-2011-3389 (BEAST) Recommending RC4 to fix despsite risks

Question asked by Marc Rogers on Dec 3, 2014

Currently Qualys is failing PCI scans for companies when it detects the presence of insecure CBC ciphers and TLS 1.0. The reccomendation in the scanner is that any organization which cannot upgrade to TLS 1.2 should instead prioritize RC4 over CBC to mitigate BEAST. This is bad advice.


RC4 is broken. This is a much bigger risk than the complex BEAST attack - which has no known PoC in the wild. Furthermore with Apple's updates in Oct 2013 every modern browser now mitigates BEAST client side. This means the position recommended by everyone - including Qualys - is to deprecate RC4 and to consider beast mitigated.


This leaves CBC as the safest option for networks that have to service clients which only support TLS 1.0.


The specified item was not found.

The specified item was not found.


I note that in the following thread from Q4 2013 - RC4 to mitigate the Beast attack? Not anymore...- Ivan agrees that BEAST is largely mitigated and says that SSL labs would be changing its scoring for BEAST as a consequence. Yet what has happened is the opposite of what I was expecting to happen.


Interestingly while QualysGuard PCI is marking this as a vuln with a score of 4.3 and thus a PCI failure - Qualys ASV is correcting the score - from 4.3 to 2.6. While thats a fine workaround for companies with a sensible ASV/QSA there is still the issue that the advice being given by the scanner is bad and anyone who runs a scan without an ASV could believe that the network they are scanning is non compliant.


So whats the way forward? Note - I refuse to recommend the adoption of a broken cipher (RC4) purely to pass PCI scans. How can we get you to stop flagging CVE-2011-3389 as an instant PCI failure - as you did previously - and how can we get the detection advice updated to be more in-line with the current position.


To me it seems that the right answer is to update the information in the scanner both the score and the associated guidance.