Solution
Disable CBC mode ciphers in order to leave only RC4 ciphers enabled. Set the device to only use TLS v1, or TLS v1/TLS v1.2:
- Log in to the CLI.
- Enter the command sslconfig.
- Enter the command GUI.
- Choose option number 3 for "TLS v1", or as listed in AsyncOS 9.6 "TLS v1/TLS v1.2".
- Enter this cipher:
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA: -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
- Enter the command: INBOUND.
- Choose option number 3 for "TLS v1", or as listed in AsyncOS 9.6 "TLS v1/TLS v1.2".
- Enter this cipher:
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA: -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
- Enter the command OUTBOUND.
- Choose option number 3 for "TLS v1", or as listed in AsyncOS 9.6 "TLS v1/TLS v1.2".
- Enter this cipher:
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA: -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
- Press Enter until you return to the hostname prompt.
- Enter the command commit.
- Finalize committing your changes.
The ESA is now configured to only support TLS v1, or TLSv1/TLS v1.2, with RC4 ciphers while it disallows any CBC filters.
Here is the list of ciphers used when you set RC4:-SSLv2. Note that there are no CBC mode ciphers in the list.
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
While this exploit is of very low concern due to its complexity and requirements to exploit, performance of these steps is a great safeguard for the prevention of possible exploits, as well as to pass strict security scans.
沒有留言:
張貼留言