1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk 11 Not PCI Compliant - BEAST (Browser Exploit Against SSL/TLS) Vulnerability

Discussion in 'Plesk 11.x for Linux' started by SpyderZ, Jan 29, 2013.

  1. SpyderZ

    SpyderZ Basic Pleskian

    20
    23%
    Joined:
    Mar 11, 2011
    Messages:
    72
    Likes Received:
    2
    BEAST (Browser Exploit Against SSL/TLS) Vulnerability
    CVE: CVE-2011-3389
    Centos 5.9
    Plesk 11.0.9 Update #34
    Scanner: Trustwave

    Description
    The SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or "BEAST".

    Remediation
    Affected users should disable all block-based cipher suites in the server's SSL configuration and only support RC4 ciphers, which are not vulnerable to fully address this vulnerability. This vulnerability was addressed in TLS version 1.1/1.2, however, support for these newer TLS versions is not widely supported at the time of this writing, making it difficult to disable earlier versions. Additionally, affected users can also configure SSL to prefer RC4 ciphers over block-based ciphers to limit, but not eliminate, exposure. Affected users that implement prioritization techniques for mitigation as described above should appeal this vulnerability and include details of the SSL configuration.

    Does anyone know how to fix this? I tried creating a cipher.lst and it didn't work. This is crazy Plesk isn't compliant with properly configured ciphers.
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,576
    Likes Received:
    1,244
    Location:
    Novosibirsk, Russia
  3. SpyderZ

    SpyderZ Basic Pleskian

    20
    23%
    Joined:
    Mar 11, 2011
    Messages:
    72
    Likes Received:
    2
  4. LinqLOL

    LinqLOL Basic Pleskian

    13
    60%
    Joined:
    Aug 4, 2012
    Messages:
    77
    Likes Received:
    1
    @igorg will this also fix nginx?

    Anyways what I see in my nginx config files:

    This will not survive the BEAST attack.
     
    Last edited: Jul 15, 2013
Loading...