ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


CVE 2013-2566

'The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.'

ClearCenter response

Short response

This attack presents little risk to ClearOS itself but rather to the client and data transmission integrity.

Long response

This attack requires a number of improbable situations that are typically only available as a combination of old consumer browsers, compromised ISPs, coordinated hacking and/or governments with snooping or network taps as man-in-the middle attacks.

This is only a risk to those that are using old browsers and then only presents a risk to the data used between the old web browser and the ClearOS server. As such, it does not present much risk to ClearOS itself.

Resolution

If you want to change the behavior of your web server to ONLY allow stronger encryption, perform the following steps:

First, take a look at what a weak connection looks like by running the following:

openssl s_client -connect localhost:443 -cipher LOW:EXP

This should give you a long and valid response. Second, connect to your server via command line and modify the following file using your favorite editor (i.e. nano, vi, emacs, et al). Modify the /etc/httpd/conf.d/ssl.conf file.

vi /etc/httpd/conf.d/ssl.conf

Change this line:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

to this:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Third, save the file and restart the httpd service.

service httpd restart

Fourth, connect again to the httpd service using the same command as before:

openssl s_client -connect localhost:443 -cipher LOW:EXP

You should get rejected this time. Now try with only medium to high levels of encryption:

openssl s_client -connect localhost:443 -cipher MED:HIGH

You should get a connection and a lot of output just like at the first, but this time it is more secure.

content/en_us/announcements_cve_cve-2013-2566.txt · Last modified: 2014/12/22 11:34 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Aannouncements_cve_cve-2013-2566&1563305017