TLS Version 1.0 Deprecated - significant cryptographic vulnerabilities

[joshnguyen08]

TLS Version 1.0 Deprecated - significant cryptographic vulnerabilities

[joshnguyen08]

TLS Version 1.0 Deprecated

CVSS Score – 6.5

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

[joshnguyen08]

Remediation steps:

TLS Version 1.0 Deprecated - significant cryptographic vulnerabilities #5

Go to regedit using Win + R on the windows DC

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Create keys under protocols for TLS 1.0, TLS 1.2, TLS 1.3

In TLS 1.0, you will go in create new -> DWORD -> name it “enabled” -> set the value to 0 to disable

In each TLS 1.2 and 1.3 folder, you will go in to create new -> DWORD -> name it “enabled” -> set the value to 1, see picture below:

Reboot server to reach full effects:

Now running another nessus scan to confirm this alleviated the issue;

Scan output now: TLS Version 1.1 Deprecated Protocol.

[joshnguyen08]

Scan came back for TLS Version 1.1 Deprecated Protocol now with score of 6.5

Follow the steps above to disabled TLS 1.1

[joshnguyen08]

Resolved after lastest Nessus basic network scan