Share via

Bastion Host TLS Vulnerabilities in Qualys Scans

Cusimano, Joey 125 Reputation points
2026-02-24T19:57:47.01+00:00

We have two Bastion hosts that are scanned by Qualys's Vulnerability Management solution biweekly and have seen a few TLS vulnerabilities reported that we haven't seen before in the past over a year of having them. I was wondering if anyone had seen the same and if I could get some input.

The first is ROBOT (https://robotattack.org/). This showed up on last week's host A only last week, and this week host B and not host A. I did a test with Qualys SSL labs and see that the ROBOT lines say "no" to indicate the hosts are not vulnerable. They are also not using any ciphers that start with "TLS_RSA", which is what the website says are vulnerable and "not... ciphers that use RSA signatures and include DHE or ECDHE in their name". This seems like a false positive to me.

The second is CVE-2014-8730, which is likely being flagged due to the presence of CBC ciphers. I'm reading that this vulnerability only affected certain technology stacks, and I can't find anything indicating Microsoft cloud TLS stacks are a part of that group. I don't think the scanner is discriminating against affected stacks vs non-affected and is simply just flagging the CBC ciphers (consistent with SSL labs calling them "weak").

I am thinking to ignore both of these findings for both of our Bastion hosts. As a tenant, we are unable to make changes to SSL settings on the Bastions anyway, so we couldn't do anything but escalate the issue to Microsoft, who may come to the same conclusion I did that these findings are false positives.

Is anyone in a similar situation? Anyone have thoughts to share? Below are the SSL Labs cipher suite results referenced above. This is consistent across both Bastion hosts.

ciphers

Azure Bastion
Azure Bastion

An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.

0 comments
Answer accepted by question author
  1. Jerald Felix 11,130 Reputation points Volunteer Moderator
    2026-02-25T02:59:43.15+00:00

    Hello Cusimano, Joey,

    Thanks for raising this question in Azure Q&A forum

    Since Azure Bastion is a fully managed Platform-as-a-Service (PaaS), Microsoft completely manages its underlying infrastructure, including OS updates, security patches, and TLS cipher configurations. As a tenant, you do not have direct control to alter these SSL/TLS settings.

    Regarding your specific findings:

    ROBOT Attack: Since your own verification via Qualys SSL Labs confirms that the hosts are not vulnerable and no vulnerable TLS_RSA ciphers are active, this is undoubtedly a false positive by the scanner.

    CVE-2014-8730 (TLS padding): Vulnerability scanners frequently flag any CBC ciphers as weak or vulnerable to padding oracle attacks without context. Microsoft's cloud TLS stacks have backend mitigations in place against these specific vulnerabilities, and this CVE primarily affects specific non-Microsoft technology stacks.

    Your conclusion is absolutely correct. Scanners often lack visibility into platform-level mitigations and flag items based on raw cipher presence. You can safely mark these as false positives or accepted risks in your Qualys dashboard. If your compliance or security team requires formal documentation for auditing purposes, you can raise a standard Azure Support ticket to get an official statement from Microsoft confirming the mitigation.

    If helps kindly accept the answer.

    Best Regards,

    Jerald Felix.

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.