Support Center > Search Results > SecureKnowledge Details
Check Point response to CVE-2011-3389 aka BEAST attack
Symptoms
  • The SSL protocol, as used in certain configurations in Microsoft Windows OS and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plain-text HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses:
    1. the HTML5 WebSocket API
    2. the Java URLConnection API, or
    3. the Silverlight WebClient API, aka a "BEAST" attack


  • It was demonstrated that SSL and TLSv1.0 block ciphers are vulnerable to this attack. Mitigation requires the use of RC4 (a stream cipher) or TLSv1.1/TLSv1.2

  • R75.40VS provides support for TLSv1.1/TLSv1.2. sk74100 describes details of configuration, which will not be reported as vulnerable to CVE-2011-3389 by vulnerability scanners.

  • This solution explains that the BEAST attack is not feasible due to the fixes that were released by browser vendors.
Solution

For more informations refer to:

For the BEAST attack to succeed all of the following conditions must hold:

  • SSLv3 or TLS 1.0 must be used.
  • A block cipher must be used.
  • The empty fragment mitigation must not be used. Many browsers, including IE and Chrome have it now.
  • The attacker must be able to both run an agent on the browser, and to monitor outgoing traffic.
  • The attacker must find a way to bypass the Same Origin Policy (SOP) on the browser, because the browser is not supposed to allow an attacker's agent (whether implemented in Java, Javascript, Flash or Silverlight) to send requests to another server.

The BEAST attack used a bug in the Java virtual machine implemented in some browsers, where the SOP was not enforced. This bug in Java has been fixed and all reasonably updated clients are not vulnerable. Similarly, all clients that have the empty fragment mitigation are not vulnerable either. In additional all other browser bugs mentioned in this CVE (e.g. WebSocket API) were fixed.

Therefore, the BEAST attack is not feasible today.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment