Is Messaging Gateway vulnerable to CVE-2011-3389 / BEAST

book

Article ID: 221033

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A vulnerability scanner has indicated that SMG is vulnerable to the CVE-2011-3389 / BEAST attack.


CVE-2011-3389 / Beast

The SSL protocol, as used in certain configurations of Microsoft Windows and browsers such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera (and other products negotiating SSL connections) encrypts data by using CBC mode with chained initialization vectors. This potentially allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosenboundary
attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses

  1. The HTML5 WebSocket API
  2. The Java URLConnection API, or
  3. The Silverlight WebClient API

By supporting the affected protocols and ciphers, the server is enabling the clients in to being exploited.

 

Resolution

Messaging Gateway implements SSL/TLS on three interfaces: Control Center, SMTP, and SSH. Each interface is addressed separately below.

Control Center web interface (ports 443, 8443, 41443)

CVE-2011-3389 was been addressed in version 10.5 with an added option to the cc-config command line tool allowing restriction of the SSL / TLS versions available to the web application server. Setting the minimum TLS level for the Control Center web application server to TLSv1.2 will remove all BEAST vulnerable ciphers:

  1. Log into the SMG admin CLI
  2. Run `cc-config set-min-tls-level --tls12`

This will restart the Control Center web application server after it is reconfigured.

smg [10.7.4-13]> cc-config set-min-tls-level --tls12
Stopping controlcenter (via systemctl):                    [  OK  ]
Starting controlcenter (via systemctl):                [  OK  ]

SMTP/TLS

This CVE is not relevant to TLS secured SMTP.  The vulnerability specifically targets HTTPS session headers which are not part of the SMTP protocol. Additionally, the amount of data required to execute the BEAST attack exceeds SMG SMTP session limits.

SSH

This CVE is not relevant to the SSH protocol. The ssh port may be further secured, however, by disabling CBC based ciphers.

  1. Log into the SMG admin CLI
  2. Run `sshd-config --cbc off`