ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Are the Symantec CCS, ESM and SRAS products vulnerable to the "FREAK" vulnerability (CVE-2015-0204)?

book

Article ID: 161809

calendar_today

Updated On:

Products

Control Compliance Suite Unix Risk Automation Suite Control Compliance Suite Windows

Issue/Introduction

FREAK (which stands for “Factoring RSA export keys”), also sometimes called “Smack,” is an attack against a vulnerability in some implementations of the TLS Internet protocol that can lead to “man-in-the-middle” decryption of secure transmissions into plaintext.

Resolution

CCS
Symantec CCS does not use vulnerable code for secure connections.  No patch or configuration to CCS itself is necessary.  However, customers who have enabled HTTPS connections on IIS for the CCS Web portals for R&A and AM should follow the same recommendations for all Windows servers and either disable RSA export cipher suites or apply the appropriate patch to fix a similar Windows vulnerability which can also be exploited by the FREAK technique (CVS-2015-1637) and would allow man-in-the-middle attacks on encrypted communications between browsers and the CCS Web portals (and whatever else the Web server is hosting).  More information is available from Microsoft at
https://technet.microsoft.com/library/security/MS15-031

 

Web portals that are on secure networks and not configured for encrypted communications don’t need to worry about changing this since their communications aren’t encrypted to begin with.

 

ESM
Symantec ESM does not use vulnerable code for secure connections.  No patch or configuration is necessary.

 

SRAS
Symantec SRAS agents do use vulnerable code when communicating with their Web server (IIS).  As SRAS has reached EOL there are no plans to release an update at this time, and the vulnerability can be mitigated by the same recommendations in the CCS section for IIS since successful exploitation of the vulnerability requires both client and server to support the RSA export cipher suite fallback.