SSL 2.0 Security Alert
Rapid7 Nexpose SSL 2.0 Detection
Februrary 26, 2009 - As a result of the clarification made in the Assessor Newsletter of November 2008 in which the Payment Card Industry Security Standards Council (PCI SSC) cleared up confusion regarding the use of SSL 2.0, Rapid7 Nexpose has been updated. Previously Nexpose reported the "SSLv2 protocol enabled" vulnerability2only if SSL 3.0 / TLS 1.0 were disabled. In view of the clarification by the PCI SSC (see additional details below), Rapid7 has updated the check to report the vulnerability regardless of whether SSL 3.0 / TLS 1.0 is enabled.
Clarifications Made By the PCI Security Standards Council:
The Technical and Operational Requirements for ASVs states that: "a component must be considered non-compliant if the installed SSL version is limited to Version 2.0 or older." The word "limited" has led some to believe that if, at a minimum, SSL 3.0 or TLS 1.0 is installed in conjunction with SSL 2.0 then that would suffice.
However, the document then states that SSL must be a more recent version than 2.0 in order to be used to transmit cardholder data. Therefore, it is imperative that an ASV identify the use of SSL 2.0 to transmit cardholder data as a failure. At the same time, merchants can enable SSL 2.0 or older in order to notify the browser that the SSL/TLS layer needs to be updated prior to making an online purchase.
Therefore ASVs must determine whether the detection SSL 2.0 is a false positive or whether they allow for the transmission of cardholder data over a public connection using the older protocol which should not be allowed.
- https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf
- http://www.rapid7.com/vulndb/lookup/sslv2-enabled
