A vulnerability scanner has indicated that SMG is vulnerable to the CVE-2011-3389 / BEAST attack.

CVE-2011-3389 / Beast

The SSL protocol, as used in certain configurations of Microsoft Windows and browsers such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera (and other products negotiating SSL connections) encrypts data by using CBC mode with chained initialization vectors. This potentially allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosenboundary
attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses

1. The HTML5 WebSocket API
2. The Java URLConnection API, or
3. The Silverlight WebClient API

By supporting the affected protocols and ciphers, the server is enabling the clients in to being exploited.

Messaging Gateway implements SSL/TLS on three interfaces: Control Center, SMTP, and SSH. Each interface is addressed separately below.

Control Center web interface (ports 443, 8443, 41443)

The cc-config command line tool can restrict the SSL / TLS versions available to the web application server. Setting the minimum TLS level for the Control Center web application server to TLSv1.2 will remove all BEAST vulnerable ciphers:

1. Log into the SMG admin CLI
2. Run `cc-config set-min-tls-level --tls12`

This will restart the Control Center web application server after it is reconfigured.

smg [10.7.4-13]> cc-config set-min-tls-level --tls12
Stopping controlcenter (via systemctl):                    [  OK  ]
Starting controlcenter (via systemctl):                    [  OK  ]

SMTP/TLS

This CVE is not relevant to TLS secured SMTP.  The vulnerability specifically targets HTTPS session headers which are not part of the SMTP protocol. Additionally, the amount of data required to execute the BEAST attack exceeds SMG SMTP session limits.

SSH

This CVE is not relevant to the SSH protocol. To further secure the SSH port, please see Securing Messaging Gateway Best Practices