Hi Qualys community,
We are seeing QID 38604 'TLS CBC Incorrect Padding Abuse Vulnerability' showing up on a Windows 2008 SP2 server running an IIS7 FTPS over SSL server on port 990. To my knowledge, Microsoft products are not impacted by CVE-2014-8730 and the solution references patches for F5 and A10 products. The only thing I can think of that may be causing this is the use of CBC ciphers on TLS1.0, but since this CVE is due to a problem with the implementation of TLS1.0 and no the protocol itself (like it is with SSLv3), is this the reason why it is showing up?
Thanks in advance for your feedback!