Vulnerability Background

FTK Central supports TLS protocols older than TLS 1.2 which are no longer considered cryptographically secure. Due to the possibility of an attacker downgrading the protocol version used in the SSL/TLS session, it is important to discontinue the usage of cryptographically weak SSL/TLS versions. 

This is highly important even if the application supports TLS 1.2 and newer. Downgrade attacks can lead to the alteration of the TLS handshake messages in a manner that results in the usage of an older SSL/TLS protocol version. If successful, the downgrade attack will ensure that a cryptographically broken protocol is used, while the connecting client and server believe their connection is secure.

Disabling TLS 1.0 and 1.1

Before attempting this remediation solution, please make a backup of the system being worked on. You can create your own .reg file using the steps below or use the one attached to this article.

  1. Open a text editor.
  2. Copy the contents of the code block below, and paste it into the text editor.
    Windows Registry Editor Version 5.00        
            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
  3. Save this file as you wish, ensuring the extension is .reg.
  4. Execute the registry file.
  5. Click Yes when prompted to continue with the installation.
  6. Once complete, you will see a success message to confirm the changes.
  7. Reboot the machine.

Verifying the Remediation Solution

  1. Open Wireshark or any other network/packet capture tool.
  2. Select “Adapter for loopback traffic capture”.
  3. The capture will begin.
  4. Use the “tls” filter to look at TLS traces.
  5. If only TLSv1.2 traces are visible, this indicates success.