This article discusses the exposure of SecureAuth IdP Appliances to the BEAST vulnerability as described in CVE-2011-3389.
What is BEAST?
Short for Browser Exploit Against SSL/TLS, BEAST is a browser exploit against SSL/TLS that was revealed in late September 2011. This attack leverages weaknesses in cipher block chaining (CBC) to exploit the Secure Sockets Layer (SSL) / Transport Layer Security (TLS) protocol. The CBC vulnerability can enable man-in-the-middle (MITM) attacks against SSL in order to silently decrypt and obtain authentication tokens, thereby providing hackers access to data passed between a Web server and the Web browser accessing the server.
Are SecureAuth IdP Appliances impacted?
SecureAuth IdP Appliances use the Microsoft Windows Server operating system which is impacted by the BEAST vulnerability. The vulnerability affects the protocol itself and is not specific to the Windows operating system or SecureAuth IdP. See the Mitigation section below for ways to address this vulnerability.
Operating System Mitigation
Ensure the SecureAuth IdP Appliance is fully patched with the latest Microsoft Windows Server updates.
Web Browser Mitigation
Ensure end-users are running a modern and fully patched Web browser that includes protection against the BEAST attack. Major browser vendors have added workarounds to mitigate the attack since BEAST is primarily an attack against Web browsers.
TLS 1.0 Disablement
Disable TLS 1.0 and have users connect using TLS 1.1 or TLS 1.2 protocols which are immune to the BEAST attack. TLS 1.0 is now considered insecure and disabling the protocol improves the overall security of the SecureAuth IdP Appliance.