Issue Statement:

You have disabled a specific version of TLS/SSL using following registry as mentioned in https://support.microsoft.com/en-in/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\<SSL/TLS version to disable>\Server

When you run vulnerability scan in your environment, you still get disabled SSL/TLS version listed as enabled in the vulnerability report over a specific port (e.g. 4883)

Action Plan:

Capture following data:

1) Netstat /anob > netstat.txt

2) Tasklist /svc > tasklist.txt

Resolution:

Look into netstat.txt file to identify which process is using port 4883.

[svchost.exe]
TCP    10.9.2.109:4883      0.0.0.0:0              LISTENING       2898

In this case, svchost.exe process is using port 4883 and it’s process ID is 2988. Svchost is a sort of bucket or sandbox that can host multiple programs. Looking at the process ID i.e., 2898 you can figure out which process in svchost.exe is causing the problem.

Image Name         PID Services
============       =============
java.exe              2898

Since, the specific version of SSL/TLS from Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\<SSL/TLS>, it disables that specific version of SSL/TLS on SChannel used by OS. If java.exe is using its own schannel, SSL/TLS version to be disabled needs to be done from java.exe.

Work with process owner to disable SSL/TLS version which is being reported in the vulnerability reports. In this case java.exe is causing the issue. Hence, java team needs to address this.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>