This is a follow-up post to our previous article on the subject.
Here we offer technical assistance to those of you trying to fix the BEAST vulnerability, and offer some mitigation practices.
The problem revolves around a vulnerability identified years ago in TLSv1 and SSLv3 protocol CBC mode ciphers (the stronger ciphers). This issue was fixed in TLSv1.1 (2006) and TLSv1.2, however, adoption of these versions has been slow due to lack of any real incentive. Up until now the attack was considered unfeasible, but recent developments have made it viable and it is now a real threat. Please see the whitepaper at http://blog.tempest.com.br/static/attachments/marco-carnut/driblando-ataque-beast-com-pasme-rc4/ssl_jun21.pdf for a deatiled technical analysis of the issue.
The following articles are very useful in understanding and taming the BEAST:
The current simplest way to mitigate the risk associated with this vulnerability in a secure manner and maintain compatibility between servers and clients is to prioritise TLSv1.1/TLSv1.2 CBC mode ciphers and then TLSv1.0/SSLv3 RC4 ciphers over the deprecated TLSv1.0/SSLv3 CBC mode ciphers. This should catch the majority of sessions before the minority of clients fall back to the vulnerable ciphers, thereby decreasing the likelihood of a successful attack.
The following remediation notes and references may be of use:
(taken from https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls)
Windows (not including 2003 or XP)
Prioritising Schannel cipher suites is possible, please see:
Windows (Older Flavours)
See the following to control which ciphers are supported:
Windows (Recent Versions)
A patch is available:
However, problems have arisen from this so the prioritising method may be preferred. See:
OpenSSL has addressed the issue, however, as the feature was found to cause problems with some SSL implementations it is disabled by default. It is also known that Tomcat, Apache mod_ssl and Exim disable the feature by default. The fix is also claimed not to work by some. (https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls). Again, prioritising ciphers therefore seems to be the only workable route.
Please check for vendor specific patches. Failing that, and if the prioritisation of ciphers is not an existing function, then disabling unwanted ciphers may be the only option in the short term. For a complete list of ciphers and other details, please see: http://www.openssl.org/docs/apps/ciphers.html
For an effective way of determining supported SSL ciphers, see the following:
The online Qualys SSL test application:
sslscan, a useful tool, can be downloaded from: