Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2705
Views
0
Helpful
1
Replies

Beast vulnerability vs SSL VPN (AnyConnect)

Phillip Macey
Level 1
Level 1

‎10-03-2011 07:23 PM - edited ‎02-21-2020 05:38 PM

Hi Everyone,

  Hopefully this is not a really stupid question.. but here I go anyway.

The 'BEAST' vulnerability recently demo'd at Ekoparty:

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Does anyone know if the SSL (AnyConnect) VPN on an ASA5520 is vulnerable to this sort of attack? If yes, is it possible to prevent it by changing some config options on the ASA? (Eg. using RC4 in preference to CBC). I have read that it will be fairly hard to implement this attack in practice but fairly hard != impossible so I figure its worth finding out about it. To my (uneducated in crypto) mind it seems that the use of JS/Java in the demo means it will not be practical to do this unless the AnyConnect client can be convinced to run some code. Right?

Thanks,

Phill Macey

Labels:
0 Helpful
1 Reply 1

darrenfinch16
Level 1
Level 1

‎10-03-2011 09:38 PM

Hi

I have been reading as much as I can on this. We use an ACE to terminate ssl and need a mitigation strategy for this exploit.

I have confirmed with cisco that since this exploits SSLV3 as well as TLS1 there is no upgrade path at this time. I don't actually use AnyConnect, but I would expect it too would be vulnerable.

My understanding is that this exploit can only happen during negotiation. Most likely attack vector would be connecting via a wireless network that an attacker is also connected to. Somewhat less likely would be connecting via an attacker proxy server.

If you hear anything, please let me know.

Darren

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents