Check Point response to CVE-2011-3389 aka BEAST attack

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk86440
Technical Level
Severity	Low
Product	Security Gateway, Security Gateway 80, Security Management, Endpoint Security Server, Edge, Multi-Domain Management
Version	All
Platform / Model	All
Date Created	16-Oct-2012
Last Modified	15-Mar-2018

Symptoms

The SSL protocol, as used in certain configurations in Microsoft Windows OS and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plain-text HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses:
1. the HTML5 WebSocket API
2. the Java URLConnection API, or
3. the Silverlight WebClient API, a.k.a. a "BEAST" attack
It was demonstrated that SSL and TLSv1.0 block ciphers are vulnerable to this attack. Mitigation requires the use of TLSv1.1/TLSv1.2
R75.40VS provides support for TLSv1.1/TLSv1.2. sk74100 describes details of configuration, which will not be reported as vulnerable to CVE-2011-3389 by vulnerability scanners.
This solution explains that the BEAST attack is not feasible due to the fixes that were released by browser vendors.

Solution

For more informations refer to:

For the BEAST attack to succeed all of the following conditions must hold:

SSLv3 or TLS 1.0 must be used.
A block cipher must be used.
The empty fragment mitigation must not be used. Many browsers, including IE and Chrome have it now.
The attacker must be able to both run an agent on the browser, and to monitor outgoing traffic.
The attacker must find a way to bypass the Same Origin Policy (SOP) on the browser, because the browser is not supposed to allow an attacker's agent (whether implemented in Java, Javascript, Flash or Silverlight) to send requests to another server.

The BEAST attack used a bug in the Java virtual machine implemented in some browsers, where the SOP was not enforced. This bug in Java has been fixed and all reasonably updated clients are not vulnerable. Similarly, all clients that have the empty fragment mitigation are not vulnerable either. In additional all other browser bugs mentioned in this CVE (e.g. WebSocket API) were fixed.

Therefore, the BEAST attack is not feasible today.

This solution is about products that are no longer supported and it will not be updated

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating