Guest Access
Sign In

Live Chat
Start Chat Now

Service Requests

Contact Us

STAY UP TO DATE
Get weekly email notifications on support related updates.
 Support Center > Search Results > SecureKnowledge Details
Support Center
The information you are about to copy is INTERNAL! DO NOT share it with anyone outside Check Point.
 Print    Email
Check Point response to CVE-2011-3389 aka BEAST attack
Solution ID: sk86440
Severity: Low
Product: Security Gateway, Security Gateway 80, Security Management, Endpoint Security Server, Edge
Version: All
Date Created: 16-Oct-2012
Last Modified: 13-Jan-2013
Rate this document
[1=Worst,5=Best]
Symptoms
  • The SSL protocol, as used in certain configurations in Microsoft Windows OS and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plain-text HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses:
    1. the HTML5 WebSocket API
    2. the Java URLConnection API, or
    3. the Silverlight WebClient API, aka a "BEAST" attack


  • It was demonstrated that SSL and TLSv1.0 block ciphers are vulnerable to this attack. Mitigation requires the use of RC4 (a stream cipher) or TLSv1.1/TLSv1.2

  • R75.40VS provides support for TLSv1.1/TLSv1.2. sk74100 describes details of configuration, which will not be reported as vulnerable to CVE-2011-3389 by vulnerability scanners.

  • This solution explains that the BEAST attack is not feasible due to the fixes that were released by browser vendors.
Solution

For more informations refer to:

For the BEAST attack to succeed all of the following conditions must hold:

  • SSLv3 or TLS 1.0 must be used.
  • A block cipher must be used.
  • The empty fragment mitigation must not be used. Many browsers, including IE and Chrome have it now.
  • The attacker must be able to both run an agent on the browser, and to monitor outgoing traffic.
  • The attacker must find a way to bypass the Same Origin Policy (SOP) on the browser, because the browser is not supposed to allow an attacker's agent (whether implemented in Java, Javascript, Flash or Silverlight) to send requests to another server.

The BEAST attack used a bug in the Java virtual machine implemented in some browsers, where the SOP was not enforced. This bug in Java has been fixed and all reasonably updated clients are not vulnerable. Similarly, all clients that have the empty fragment mitigation are not vulnerable either. In additional all other browser bugs mentioned in this CVE (e.g. WebSocket API) were fixed.

Therefore, the BEAST attack is not feasible today.


Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000