usd HeroLab Top 5 Vulnerabilities 2020: Transport Layer Security (TLS) 1.0

16. July 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 4: TLS 1.0

Vulnerability Background

The TLS protocol is often used for authentication and encryption of network connections. TLS is a protocol that lies between TCP and the application and presentation layer protocols. The authenticity of the contacted server is guaranteed by a certificate and the connection between client and server is encrypted.

TLS is probably one of the most widely used encryption protocols for network communications. The encryption of the transmitted data is separated from the actual application layer protocol, so that application programmers do not have to deal with the encryption layer. Only the configuration of TLS still requires manual setting and thus provides a lot of potential for vulnerabilities. Many systems still use the outdated version TLSv1.0, which has no longer been recognized as sufficiently secure by the PCI Council since 2016.

Exemplary hacker attack and its consequences

Vulnerabilities at the TLS level can often only be exploited under laboratory conditions [1]. The reason why this vulnerability category has nevertheless made it into our list is its outstanding frequency in which TLSv1.0 was identified in tested systems. A clear sign that vulnerabilities at the TLS level are still not taken seriously.

Recommended measures

TLSv1.0 is an outdated version of the TLS protocol with known vulnerabilities. Although concrete exploitation is difficult, there is still a security risk. In particular, PCI-relevant systems must no longer support TLSv1.0 in order to meet compliance guidelines.

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.

[1] In our mini-series, we do not get into cryptographic details.

Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

usd AG Partner to PCI SSC GEAR 2022-2024

usd AG Partner to PCI SSC GEAR 2022-2024

The PCI Security Standards Council (PCI SSC) has reappointed usd AG to the Global Executive Assessor Roundtable (GEAR). Since 2018, the GEAR has enabled a direct exchange between PCI assessors and the PCI Security Standards Council (PCI SSC). Every two years, leading...

Security Advisory for CleverReach

Security Advisory for CleverReach

The analysts at usd HeroLab examined CleverReach as part of their security analyses. This revealed a vulnerability in the  Authentication Bypass Using an Alternate Path or Channel, which was reported to the manufacturer as part of the Responsible Disclosure...