CVE-2013-0169 (LUCKY13)

Question

Sophos XGS 136 model in HA mode, having Version 20.0 MR2 Build 378. while performing Penetrating Testing we get LUCKY13 VA on port 8090. 
 before version 20.0 MR2 we were having firmware 19.5 MR2 Build 624 with this firmware we are facing LUCKY13 VA on port 8090. 
 and we checked with all firmware between 19.5 MR2 Build 624 to 20.0 MR2 Build 378, all are having same VA. 
 see the attachment

LuCar Toni · Answer

I was looking into this. Generally speaking, CBC is not considered as "insecure" in a term of you should replace it everywhere ASAP. https://security.stackexchange.com/questions/210072/why-does-ssl-labs-now-consider-cbc-suites-weak 
 SFOS offers CBC on TLS1.2 on Port8090. But this is currently under review to disable it. 
 The tool, you are using, is simply checking for the "is the server offing CBC or not". By no means does it mean, SFOS is vulnerable to this CVE.

LuCar Toni · Answer

We added a KB for V20.0 MR2: https://support.sophos.com/support/s/article/KBA-000009836?language=en_US

CVE-2013-0169 (LUCKY13)

Top Replies