Cisco Cisco ASA 5515-X Adaptive Security Appliance 문제 해결 가이드
ASA BEAST Vulnerability Solutions
Document ID: 118854
Contributed by Atri Basu, Loren Kolnes, and Narendra Meka, Cisco
TAC Engineers.
Apr 01, 2015
TAC Engineers.
Apr 01, 2015
Contents
Introduction
Problem
User Impact
Solution
Problem
User Impact
Solution
Introduction
This document describes a vulnerability within the Cisco Adaptive Security Appliance (ASA) sowftware that
allows unauthorized users to access protected content. Workarounds for this issue are also described.
allows unauthorized users to access protected content. Workarounds for this issue are also described.
Problem
The Browser Exploit Against SSL/TLS (BEAST) vulnerability is leveraged by an attacker in order to
effectively read protected content via Initialization Vector (IV) chaining in Cipher Block Chaining (CBC)
encryption mode with a known plaintext attack.
effectively read protected content via Initialization Vector (IV) chaining in Cipher Block Chaining (CBC)
encryption mode with a known plaintext attack.
The attack uses a tool that exploits a vulnerability in the widely−used Transport Layer Security Version 1
(TLSv1) protocol. The issue is not rooted in the protocol itself, but rather the cipher suites that it uses. The
TLSv1 and Secure Sockets Layer Version 3 (SSLv3) favor CBC ciphers, where the Padding Oracle
attack occurs.
(TLSv1) protocol. The issue is not rooted in the protocol itself, but rather the cipher suites that it uses. The
TLSv1 and Secure Sockets Layer Version 3 (SSLv3) favor CBC ciphers, where the Padding Oracle
attack occurs.
User Impact
As indicated by the SSL Pulse SSL implementation survey, created by the Trustworthy Internet Movement,
over 75% of SSL servers are susceptible to this vulnerability. However, the logistics involved with the
BEAST tool are fairly complicated. In order to use BEAST to eavesdrop on traffic, an attacker must have the
ability to read and inject packets very quickly. This potentially limits the effective targets for a BEAST
attack. For example, a BEAST attacker can effectively grab random traffic at a WIFI hot spot or where all
Internet traffic is bottlenecked through a limited number of network gateways.
over 75% of SSL servers are susceptible to this vulnerability. However, the logistics involved with the
BEAST tool are fairly complicated. In order to use BEAST to eavesdrop on traffic, an attacker must have the
ability to read and inject packets very quickly. This potentially limits the effective targets for a BEAST
attack. For example, a BEAST attacker can effectively grab random traffic at a WIFI hot spot or where all
Internet traffic is bottlenecked through a limited number of network gateways.
Solution
BEAST is an exploit of the weakness in the cipher that is used by the protocol. Since it affects the CBC
cipher, the original workaround for this issue was to switch to the RC4 cipher instead. However,
the Weaknesses in the Key Scheduling Algorithm of RC4 article that was published in 2013 reveals that even
RC4 had a weakness that made it unsuitable.
cipher, the original workaround for this issue was to switch to the RC4 cipher instead. However,
the Weaknesses in the Key Scheduling Algorithm of RC4 article that was published in 2013 reveals that even
RC4 had a weakness that made it unsuitable.
In order to workaround this issue, Cisco has implemented these two fixes for the ASA:
Cisco bug ID CSCts83720: Upgrade to TLS 1.1/1.2
•