How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server

4.4k views Asked by At

I am at a loss on this one, I have tried everything. We can not pass our PCI scan due to a couple of older Windows 2003 Servers with IIS. The vulnerability reported is:

"TLS CBC Incorrect Padding Abuse Vulnerability"

This is the result from SSlLabs scanner: SSL Scan Results

We have disabled SSL 3.0: Disabled SSL 3.0

And installed the hotfixes from MS from here:

I don't know what else to do in order to disable the CBC chiper issues on Windows 2003. Does anybody know?

1

There are 1 answers

0
Anand Bhat On BEST ANSWER

This issue reported by SSL Labs is the POODLE attack against TLS. This is different from the SSL POODLE issue for which you appear to have deployed a fix.

Do you have a load balancer or reverse-proxy in front of your IIS server? If so, you'll need to patch that product.

If not, there is a user report (also here) that applying KB2655992 may address this.