Vulnerability reports against the Layer 7 Gateway for the BEAST security exploit
search cancel

Vulnerability reports against the Layer 7 Gateway for the BEAST security exploit

book

Article ID: 42926

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The BEAST security exploit is a browser-based exploit of SSL/TLS-encrypted communications within a web browser. This requires a specific implementation of TLS version 1.0 that uses cipher block chaining?during an SSL/TLS-encrypted transaction. If a Layer 7 Gateway appliance is using TLS version 1.0 and allowing the use of CBC in the available cipher suite list of an inbound listener or outbound routing attempt then the Gateway may need to be reconfigured to avoid this behavior.

Presentation

The use of this exploit requires that a system is leveraging TLSv1.0 while using CBC algorithms in the cipher suite. Version 8.1 of the Gateway still allows TLS version 1.0 and CBC algorithms to be used for inbound and outbound connections for legacy purposes. Some systems may not be capable of utilizing more contemporary SSL/TLS versions or more secure ciphers suites and as such we continue to maintain them as supported for communications.?

Resolution

In order to ensure your Gateways are completely secure against BEAST security exploits or similarly structured attacks, an administrator will need to verify that TLS version 1.0 is disabled on all inbound listen ports. Additionally, cipher suites using the CBC algorithm will need to be disabled.
  1. Log into the Policy Manager as an administrative user.
  2. Select the "Manage Listen Ports" task.
  3. Open the "Properties for any SSL/TLS-enabled listen port.
  4. Select the "SSL/TLS Settings" tab.
  5. Ensure "TLS 1.0" is unchecked or any cipher suites with "CBC" in the name are disabled.

<Please see attached file for image>

The SSL/TLS settings tab of the Properties dialog for a particular SSL-enabled Listen Port

The example settings above show a potentially vulnerable deployment of the Layer 7 Gateway. TLS version 1.0 is the only allowed version and there are several ciphers that utilize CBC algorithms. Ensure that an alternative "Enabled TLS Versions" option is checked while "TLS 1.0" is unchecked. Additionally, view the list of "Enabled Cipher Suites" and verify that no suites remain checked with "CBC" in the title.

Environment

Release:
Component: APIGTW

Resolution

Please Update This Required Field

Attachments

1559051355081000042926_sktwi15okjw4363hx.jpeg get_app
1559051353081000042926_sktwi15okjw4363hw.jpeg get_app
1558722852408000042926_sktwi1f5rjvs16wmd.jpeg get_app
1558618774161000042926_sktwi9tkjvsehwzm.jpeg get_app
1558618772078000042926_sktwi9tkjvsehwzl.jpeg get_app
Powered by Wolken Software