The BEAST security exploit
is a browser-based exploit of SSL/TLS-encrypted communications within a web browser. This requires a specific implementation of TLS version 1.0 that uses cipher block chaining
?during an SSL/TLS-encrypted transaction. If a Layer 7 Gateway appliance is using TLS version 1.0 and allowing the use of CBC in the available cipher suite list of an inbound listener or outbound routing attempt then the Gateway may need to be reconfigured to avoid this behavior.
The use of this exploit requires that a system is leveraging TLSv1.0 while using CBC algorithms in the cipher suite. Version 8.1 of the Gateway still allows TLS version 1.0 and CBC algorithms to be used for inbound and outbound connections for legacy purposes. Some systems may not be capable of utilizing more contemporary SSL/TLS versions or more secure ciphers suites and as such we continue to maintain them as supported for communications.?
In order to ensure your Gateways are completely secure against BEAST security exploits or similarly structured attacks, an administrator will need to verify that TLS version 1.0 is disabled on all inbound listen ports. Additionally, cipher suites using the CBC algorithm will need to be disabled.
- Log into the Policy Manager as an administrative user.
- Select the "Manage Listen Ports" task.
- Open the "Properties for any SSL/TLS-enabled listen port.
- Select the "SSL/TLS Settings" tab.
- Ensure "TLS 1.0" is unchecked or any cipher suites with "CBC" in the name are disabled.
<Please see attached file for image>
The example settings above show a potentially vulnerable deployment of the Layer 7 Gateway. TLS version 1.0 is the only allowed version and there are several ciphers that utilize CBC algorithms. Ensure that an alternative "Enabled TLS Versions" option is checked while "TLS 1.0" is unchecked. Additionally, view the list of "Enabled Cipher Suites" and verify that no suites remain checked with "CBC" in the title.