Support Center > Search Results > SecureKnowledge Details
Mitigating the BEAST attack in R75.40VS, R75.46 and R76
Cause

In SSLv3 and TLS 1.0 the initialization vector is predictable when using a CBC ciphersuite. This allows an attacker who can get the browser to send out specific requests to decipher hidden parts of the request such as session cookies. Getting the session cookies allows the attacker to impersonate the user and hijack the session.


Solution

Recommended mitigation steps for this issue are:

  • Use TLS 1.1 or 1.2 whenever possible.
  • Otherwise, follow the normal cipher selection

To enable on this behavior in Security Gateway R75.40VS, R75.46, R76 and later versions:

  • On SecurePlatform / Gaia / Linux / IPSO OS:

    1. Add the following line in the $CPDIR/tmp/.CPprofile.sh script using Vi editor
      (above the 'INFODIR=/opt/CPinfo-10 ; export INFODIR' line):

      BEAST_MITIGATION=1 ; export BEAST_MITIGATION

    2. Reboot the machine.


  • On Windows OS:

    Use system settings to set the new system environment variable BEAST_MITIGATION with value of 1

    1. Start - Run... - "%WINDIR%\system32\rundll32.exe" sysdm.cpl,EditEnvironmentVariables - OK

    2. Under 'System Variables' - click on 'New...'

      • name: BEAST_MITIGATION
      • value: 1
      • click 'OK'


    3. Click 'OK'.

    4. Reboot the machine.

 

Notes:

  • R75.45 and R75.46 support only TLS 1.0 (not TLS 1.1 or TLS 1.2).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment