AnsweredAssumed Answered

QID 38604 on Windows 2008

Question asked by Brian Kenworthy on Jan 16, 2015
Latest reply on Jan 20, 2015 by AN. Iori

Hi Qualys community,


We are seeing QID 38604 'TLS CBC Incorrect Padding Abuse Vulnerability' showing up on a Windows 2008 SP2 server running an IIS7 FTPS over SSL server on port 990.  To my knowledge, Microsoft products are not impacted by CVE-2014-8730 and the solution references patches for F5 and A10 products.  The only thing I can think of that may be causing this is the use of CBC ciphers on TLS1.0, but since this CVE is due to a problem with the implementation of TLS1.0 and no the protocol itself (like it is with SSLv3), is this the reason why it is showing up?


Thanks in advance for your feedback!