SOLVED How to disable LUCKY13 (CVE-2013-0169) PureFTP

JIKOmetrix

Well-Known Member
Apr 3, 2007
119
15
168
Hello,

My Merchant provider did a PCI scan and I was asked to fix a few things.

During my testing before rescanning for PCI comp I saw mention of:

LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches​

I was testing with testssl.sh

./testssl.sh --starttls ftp 144.xxx.zzz.xxx:21

How do I disable the LUCKY13 cipher in PureFTP?

Is it as simple as adding !LUCKY13 to the cipher list?

I currently have the cipher suite set as "HIGH:+TLSv1:!SSLv2:+SSLv3:!aNULL:!eNULL"

Thanks,
Mike
 
Last edited by a moderator: