Hello,

 

One of our customers reported that they failed their PCI Compliance scan. Here is the excerpt from the PCI Results that failed:

 

Vulnerability:

 

BEAST (Browser Exploit Against SSL/TLS) Vulnerability

The SSL protocol encrypts data by using CBC mode with chained

initialization vectors. This allows an attacker, which is has gotten

access to an HTTPS session via man-in-the-middle (MITM) attacks or

other means, to obtain plain text HTTP headers via a block wise

chosen-boundary attack (BCBA) in conjunction with JavaScript code

that uses the HTML5 Web Socket API, the Java URLConnection API,

or the Silverlight Web Client API. This vulnerability is more commonly

referred to as Browser Exploit Against SSL/TLS or "BEAST".

CVE: CVE-2011-3389

NVD: CVE-2011-3389

Bugtraq: 49778

CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)

Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=665814,

http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslciphersuite,

http://technet.microsoft.com/en-us/security/bulletin/ms12-006

Service: http

 

Remediation:

 

Affected users should disable all block-based cipher

suites in the server's SSL configuration and only support

RC4 ciphers, which are not vulnerable to fully address

this vulnerability. This vulnerability was addressed in

TLS version 1.1/1.2, however, support for these newer

TLS versions is not widely supported at the time of this

writing, making it difficult to disable earlier versions.

Additionally, affected users can also configure SSL to

prefer RC4 ciphers over block-based ciphers to limit, but

not eliminate, exposure. Affected users that implement

prioritization techniques for mitigation as described

above should appeal this vulnerability and include

details of the SSL configuration.

 

I have tried a few different fixes, along with bulleting “Use Only PCI-Compliant Ciphers”, but they error is still thrown. When I connect with Google Chrome, it shows the following for encryption:

 

Your connection to <IP Address> is encrypted with 256-bit encryption.

The Connection uses TLS 1.1.

The connection is encrypted using CAMELLIA_256_CBC with SHA1 for message authentication and RSA as the key exchange mechanism.

The connection does not use SSL compression.

 

I currently have the following string in the SSL encryption module:

 

RC4-SHA:HIGH:!ADH:!LOW:!MEDIUM:!SSLv2

 

This machine has OpenSSL 1.0.1c compiled and installed and used by Webmin.

 

Any Ideas?

 

Thanks,

 

Andrew Reis | MCTS, Network+

Microsoft Windows/Networking Support

Webmaster

DBMS Inc.

 

Andrew Reis | MCTS, Network+

Microsoft Windows/Networking Support

Webmaster

DBMS Inc.

Toll-Free: (888) 862-0662 ext. 307

Direct: (318) 219-5034

Email: andy@dbmsinc.com

Web: http://www.dbmsinc.com

Be sure to follow us on Facebook and Twitter