000029120 - How to disable RC4 Cipher Suites on RSA Security Analytics ports 443 8443 and 6007

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029120
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Malware Analysis
RSA Version/Condition: 10.2.x and 10.3.x
Platform: CentOS
CVE IDCVE-2013-2566
Scanning Tool and VersionNessus Scan
Alert ImpactImpacted - Apply RSA Remedy
Technical DetailsProvide details on patch, upgrade, downgrade, workaround, hot fix
Technical Details Explanation

Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS ) protocols provide integrity, confidentiality and authenticity services to other protocols that lack these features.

SSL/TLS protocols use ciphers such as AES,DES, 3DES and RC4 to encrypt the content of the higher layer protocols and thus provide the confidentiality service. Normally the output of an encryption process is a sequence of random looking bytes. It was known that RC4 output has some bias in the output. Recently a group of researchers has discovered that the there is a stronger bias in RC4, which make statistical analysis of ciphertext more practical.

The described attack is to inject a malicious javascript into the victim's browser that would ensure that there are multiple connections being established with a target website and the same HTTP cookie is sent multiple times to the website in encrypted form. This provides the attacker a large set of ciphertext samples, that can be used for statistical analysis.

If this attack is carried out and an HTTP cookie is recovered, then the attacker can then use the cookie to impersonate the user who's cookie was recovered.

This attack is not very practical as it requires the attacker to have access to millions of samples of ciphertext, but there are certain assumptions that an attacker can make to improve the chances of recovering the cleartext from cihpertext. For examples HTTP cookies are either base64 encoded or hex digits. This information can help the attacker in their efforts to recover the cookie.

RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, newer versions of TLS addressed these issues.

Not Applicable

There is no exploitability information for this vulnerability.

There is no malware information for this vulnerability.

TLSv1.0 with RC4 ciphers is supported

QID: 38601 CVSS Base: 2.6
Category: General remote services CVSS Temporal: 2.2
CVE ID: CVE-2013-2566
Vendor Reference: -
Bugtraq ID: -
Service Modified: 10/15/2013
User Modified: -
Edited: No
PCI Vuln: No

To mitigate this issue, add “RC4” to the list on the jdk.tls.disabledAlgorithms property in the following file:  /etc/alternatives/jre/lib/security/java.security
Mitigation steps:
1.Modify the file “/etc/alternatives/jre/lib/security/java.security” by adding following line:  jdk.tls.disabledAlgorithms=RC4
RC4 Fix
2. Reboot the machine



Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.