Bug #3810
closed
Checking "Mitigate the BEAST SSL Attack" box actually disables mitigation
0%
Description
In the System: Advanced: Admin Access tab, checking the box for "Mitigate the BEAST SSL Attack" actually makes the installation vulnerable by disabling mitigation that appears to be enabled by default.
Version Tested: 2.1.4-RELEASE
Repro Steps: Check Box, Access Web UI, Note Cipher Negotiation to Weak cipher (RC4 as tested in Chrome)
Steps to verify mitigation when unchecked: Uncheck box, Access Web UI, Note that Cipher Negotiation is Now AES CBC or other strong cipher (actual mitigation)
Assigning Priority of Urgent due to the many admins who have checked this box but are now unknowingly vulnerable, when they would not be otherwise.
Suggested remediation: reword the checkbox to "Disable mitigation", or remove checkbox feature from UI
Thanks!
Updated by Jim Pingle over 11 years ago
- Status changed from New to Rejected
I tested 2.1.4, 2.1.5 (pending), and 2.2. All reported BEAST vulnerable with the box unchecked, and all reported as NOT vulnerable with the box checked. It is working as intended as far as I can tell from the tests being used.
If you are using a different validation tool that reports the opposite, follow up on the forum with more info for discussion until an issue is confirmed.
Updated by