Zombie POODLE with Cipher Block Chaining

[Moussa ML]

Hi all,

In SSL Lab, I have this message alert "This server is vulnerable to the Zombie POODLE vulnerability. Grade will be set to  F  from May 2019.  MORE INFO », taht is related to the Cipher Block Chaining as you can check in this article https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities, do you have an idea how can I deal with this vulnaribility to avoid class F?

 

 

 

 

 

Thanks in advance.

Best Regards,

Moussa

[CarlStalhood]

I suspect you'd need to move the GCM ciphers to the top of the list. See https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/

[Moussa ML]

Hi Carl,

 

Thank you for your reply, Idid but we have alwas the same message "This server is vulnerable to the Zombie POODLE vulnerability. Grade will be set to F from May 2019.  MORE INFO »"

 

 

Best Regards,

Moise

[CarlStalhood]

What build of NetScaler? Make sure it's one of these - https://support.citrix.com/article/CTX240139

[Moussa ML]

 

Yes, we have 11.1 57.11

 

 

[CarlStalhood]

Then you need to upgrade the firmware to 11.1 build 60.14 and later. The article shows this.

[Moussa ML]

Ok carl, thank you. this upgrade will resolve this issue without any other changes?

[CarlStalhood]

As long has you have already done everything else detailed in https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/, then the firmware upgrade is probably all you need.

[Moussa ML]

ok thank you so much carl

[Andreas Furtenbacher]

Hi,

I am running on 12.0 61.8 but still got the grade F. I was on A+ before this. Has anyone some more ideas?

Regarding https://support.citrix.com/article/CTX240139 with a firmware newer than 12.0 60.9, the vulnerbilities should be closed?!

Thank you,

Andreas

[Moussa ML]

Hi afurten,

 

I have upgraded to 12.1 51.19 to resolve this issue, I have A+ now.

 

Best Regards,

Moise

[Glen McDonald]

I've upgraded to 12.1 51.19 and I'm still getting the vulnerable message when I scan the site. Is there anything else that I need to do?

[Roberto Pereira]

Hello,

 

I have also the problem with F rating on ssllabs. I upgraded the customres NS to 13.0-41.28 and still getting Rating F.

 

I followed the article from Steven Wright how to get an A+ Score. Strange is, that I use the same settings on our Netscaler. Our Netscaler (also 13.0-41.28) has an A+ Rating and the customer has F.

 

I made a new Ciper Group without CBC Cipers but still F Score. Then I assigned again the Cipher Group from Steven Wright. The first check of ssllabs shows A+, when I repeat the check it goes back to F. Further ssllabs is showing CBC-Cipers, also if I assign a Ciper-Group without CBC Cipers to the vserver.

 

Has someone found a solution that works?

[Russell Maher]

Fixed for me at last!.

 

12.1.51.19

 

Been getting SSLLabs A+ then F and back and forth for weeks.  Switched to these ciphers and so far all A+.

 

https://docs.citrix.com/en-us/tech-zone/build/tech-papers/networking-tls-best-practices.html

 

[Roberto Pereira]

Thank you Russ, this works fine now.