search cancel

Are the Symantec CCS, ESM and SRAS products vulnerable to the "FREAK" vulnerability (CVE-2015-0204)?


Article ID: 161809


Updated On:


Control Compliance Suite Unix Risk Automation Suite Control Compliance Suite Windows


FREAK (which stands for “Factoring RSA export keys”), also sometimes called “Smack,” is an attack against a vulnerability in some implementations of the TLS Internet protocol that can lead to “man-in-the-middle” decryption of secure transmissions into plaintext.


Symantec CCS does not use vulnerable code for secure connections.  No patch or configuration to CCS itself is necessary.  However, customers who have enabled HTTPS connections on IIS for the CCS Web portals for R&A and AM should follow the same recommendations for all Windows servers and either disable RSA export cipher suites or apply the appropriate patch to fix a similar Windows vulnerability which can also be exploited by the FREAK technique (CVS-2015-1637) and would allow man-in-the-middle attacks on encrypted communications between browsers and the CCS Web portals (and whatever else the Web server is hosting).  More information is available from Microsoft at


Web portals that are on secure networks and not configured for encrypted communications don’t need to worry about changing this since their communications aren’t encrypted to begin with.


Symantec ESM does not use vulnerable code for secure connections.  No patch or configuration is necessary.


Symantec SRAS agents do use vulnerable code when communicating with their Web server (IIS).  As SRAS has reached EOL there are no plans to release an update at this time, and the vulnerability can be mitigated by the same recommendations in the CCS section for IIS since successful exploitation of the vulnerability requires both client and server to support the RSA export cipher suite fallback.