Is there any resolution for TLS/SSL RC4 vulnerability (CVE-2013-2566)?
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- JBoss Enterprise Web Server (JWS)
- Apache httpd
Issue
- Is there any errata for TLS/SSL RC4 vulnerability (CVE-2013-2566) ?
- SSL/TLS use of weak RC4 cipher - CVE-2013-2566.
- I updated pkgs but still servers are getting caught in security scan for Rc4 vulnerability.
Resolution
-
This flaw is related to the design of the RC4 protocol and not its implementation.
-
More details and a possible work around is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=921947#c8.
-
Find the applications which has been configured to use TLS/SSL on server, make the suggested changes in application configuration file as suggested in Workaround 1 or Workaround 2.
- For example, if httpd is running with SSL, then make the suggested changes in
/etc/httpd/conf.d/ssl.conf
- For example, if httpd is running with SSL, then make the suggested changes in
Workaround 1: Use Stronger ciphers
SSLCipherSuite HIGH:!aNULL:!MD5
Workaround 2: Change the CipherOrder so that RC4 will be the least preferred
SSLHonorCipherOrder On
SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:HIGH:!MD5:!aNULL:!ADH:!LOW:RC4
Note: Only use the above order as a reference. Based on your environment and requirement, adjust the order.
- Therefore there are no plans to correct this issue in
Red Hat Enterprise Linux
5 , 6 and 7.
Root Cause
- The MITRE CVE dictionary describes this issue as: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments