Is there any resolution for TLS/SSL RC4 vulnerability (CVE-2013-2566)?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • JBoss Enterprise Web Server (JWS)
  • Apache httpd

Issue

  • Is there any errata for TLS/SSL RC4 vulnerability (CVE-2013-2566) ?
  • SSL/TLS use of weak RC4 cipher - CVE-2013-2566.
  • I updated pkgs but still servers are getting caught in security scan for Rc4 vulnerability.

Resolution

  • This flaw is related to the design of the RC4 protocol and not its implementation.

  • More details and a possible work around is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=921947#c8.

  • Find the applications which has been configured to use TLS/SSL on server, make the suggested changes in application configuration file as suggested in Workaround 1 or Workaround 2.

    • For example, if httpd is running with SSL, then make the suggested changes in /etc/httpd/conf.d/ssl.conf

Workaround 1: Use Stronger ciphers

  SSLCipherSuite HIGH:!aNULL:!MD5

Workaround 2: Change the CipherOrder so that RC4 will be the least preferred

SSLHonorCipherOrder On
SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:HIGH:!MD5:!aNULL:!ADH:!LOW:RC4

Note: Only use the above order as a reference. Based on your environment and requirement, adjust the order.

  • Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5 , 6 and 7.

Root Cause

  • The MITRE CVE dictionary describes this issue as: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments