2015年9月16日 星期三

Cisco SSLv3 and TLSv1 Protocol Weak CBC Mode Vulnerability

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html


Solution

Disable CBC mode ciphers in order to leave only RC4 ciphers enabled. Set the device to only use TLS v1, or TLS v1/TLS v1.2:
  1. Log in to the CLI.
  2. Enter the command sslconfig.
  3. Enter the command GUI.
  4. Choose option number 3 for "TLS v1", or as listed in AsyncOS 9.6 "TLS v1/TLS v1.2".
  5. Enter this cipher:
    MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:
    -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
  6. Enter the command: INBOUND.
  7. Choose option number 3 for "TLS v1", or as listed in AsyncOS 9.6 "TLS v1/TLS v1.2".
  8. Enter this cipher:
    MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:
    -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
  9. Enter the command OUTBOUND.
  10. Choose option number 3 for "TLS v1", or as listed in AsyncOS 9.6 "TLS v1/TLS v1.2".
  11. Enter this cipher:
    MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:
    -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
  12. Press Enter until you return to the hostname prompt.
  13. Enter the command commit.
  14. Finalize committing your changes.
The ESA is now configured to only support TLS v1, or TLSv1/TLS v1.2, with RC4 ciphers while it disallows any CBC filters.
Here is the list of ciphers used when you set RC4:-SSLv2. Note that there are no CBC mode ciphers in the list.
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
While this exploit is of very low concern due to its complexity and requirements to exploit, performance of these steps is a great safeguard for the prevention of possible exploits, as well as to pass strict security scans.

沒有留言:

張貼留言