Skip to main content

An official website of the United States government

Here’s how you know

False Positives and Vulnerability Scanning on Cloud.gov

Explanation: Why False Positives Occur

Automated scanners may flag findings on Cloud.gov systems that aren't exploitable in practice.
This occurs because:

  • Automated tools can't evaluate compensating controls.
  • Cipher naming differences (IANA vs OpenSSL) create mismatches in reports.
  • Deprecated cipher modes may be partially supported for compatibility but mitigated by platform-level protections.

Cloud.gov provides this page to support system owners, ISSOs, and compliance teams when interpreting findings and documenting them in System Security Plans (SSPs).

Reference: Common False Positives

TLS Cipher Suites

Scanners may flag the following as “weak”:

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)

Disposition: False Positive.

  • Cloud.gov relies on AWS s2n-tls, which mitigates CBC padding-oracle attacks (e.g., LUCKY13).
  • These cipher suites remain allowed by NIST SP 800-52r2 Appendix D.
  • TLS 1.3 is also supported via AWS endpoint security policies.

NIST 800-53 Control Mappings

  • SC-8 - Transmission Confidentiality and Integrity
  • SC-12 - Cryptographic Key Establishment and Management
  • SC-13 - Cryptographic Protection
  • SC-20 - Secure Name / Address Resolution

SSP Example Language

Finding: Scanner flagged TLS_RSA_WITH_AES_128_CBC_SHA256 as weak. Assessment: Cloud.gov terminates TLS using AWS-managed, FIPS-validated TLS stacks that mitigate CBC-mode attacks. Cipher remains compliant with NIST SP 800-52r2. Disposition: False Positive. Controls: SC-8, SC-12, SC-13, SC-20.

OpenSSL CCS Injection (CVE-2014-0224)

Some vulnerability scanners report:

“Insecure Deployment: OpenSSL – CCS Injection Vulnerability”

Disposition: False Positive.

This vulnerability only applies when both ends of a TLS connection use vulnerable OpenSSL libraries.

On Cloud.gov:

  • TLS is terminated at AWS-managed, FIPS-validated load balancers
  • Application containers do not participate in the TLS handshake
  • AWS does not use vulnerable OpenSSL versions and does not expose OpenSSL banners

Running openssl version inside a container is irrelevant because no external TLS reaches the container.

NIST 800-53 Control Mappings

  • SC-8 - Transmission Confidentiality and Integrity
  • SC-12 - Cryptographic Key Establishment
  • SC-13 - Cryptographic Protection
  • SC-16 - Transmission Integrity
  • SC-23 - Session Authenticity

SSP Example Language

Finding: Scanner flagged CVE-2014-0224 (OpenSSL CCS Injection). Assessment: TLS is terminated at AWS-managed FIPS-validated load balancers. Application containers do not participate in TLS and AWS does not run vulnerable OpenSSL. Disposition: False Positive. Controls: SC-8, SC-12, SC-13, SC-16, SC-23.

BREACH (CVE-2013-3587)

Scanners may flag HTTP compression as a BREACH vulnerability.

Disposition: False Positive when application mitigations are in place.

  • BREACH is mitigated via CSRF token masking, secret randomization, and length hiding
  • Disabling HTTP compression is not required and would harm performance
  • Modern web frameworks already implement these mitigations

NIST 800-53 Control Mappings

  • SC-23 - Session Authenticity
  • SC-28 - Protection of Sensitive Information
  • SC-34 - Non-modifiable Executable Programs
  • SI-10 - Information Input Validation

SSP Example Language

Finding: Scanner flagged BREACH (CVE-2013-3587). Assessment: Application implements CSRF masking and secret randomization, mitigating BREACH risk. Disposition: False Positive. Controls: SC-23, SC-28, SC-34, SI-10.

How-to Guide: Documenting False Positives in Your SSP

When documenting scanner findings:

  1. Identify the finding (cipher, CVE, etc.)
  2. State where TLS is terminated (Cloud.gov AWS endpoints)
  3. Reference Cloud.gov guidance (this page, CIS/CRM)
  4. Explain why the issue is not exploitable
  5. Mark the finding as a False Positive

Customer Responsibility

  • Ensure CSRF and session protections are implemented in applications
  • Reference this page in SSP and POA&M narratives

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov