The https interfaces of Embedded Management Application (EMA) and Platform Mode (PM) are vulnerable to the BEAST attack. Secure Sockets Layer (SSL) BEAST attack affects only Transport Layer Security (TLS) version 1.0, and not the later versions.  For further details, refer to the external link http://www.kb.cert.org/vuls/id/864643.

Generally, stream ciphers are not affected by the BEAST attack. However RC4 is the only stream cipher standardized for use with TLS 1.0, and its use is prohibited for TLS with the RFC7465 standards.

For the installation/upgrade process of SBC Core 6.0, the possible scenarios are as follows:

  • If the defaults for TLS 1.0, 1.1 and 1.2 are set, then TLS 1.0 is disabled in the default PM/EMA Tls profile.
  • If the defaults for TLS 1.0, 1.1 and 1.2 are not set, the user-provided configuration is preserved.

If the configuration of the EMA Tls Profile changes from the pre-6.0 defaults, the upgrade process does not attempts to apply the new defaults.

Enabling TLS 1.0 creates security risks, and is strongly advised against. To avoid security loopholes, upgrade to newer browser versions that supports TLS 1.1 and TLS 1.2. Disable TLS 1.0, and enable TLS 1.2 for protection against BEAST attacks.

  • No labels