SSL FREAK Attack

Submitted on 5. March 2015 - 11:32 by rischi.
Last update on 11. March 2015 - 16:36.

IDs:

CVE-2015-0204

Keywords:

SSL, TLS, FREAK, export, ciphers

Description:

An attack on TLS/SSL with the name FREAK is currently discussed in the media. A man in the middle attacker could downgrade a TLS/SSL connection to a very weak RSA export cipher. With todays computational power such connections can be easily decrypted.

Airlock WAF 5.x are not affected because RSA export ciphers are disabled in Apache httpd 2.4.7 and newer. See "resolution" below if you are using Airlock 5.0.

Airlock WAF 4.2.6.3 and 4.2.6.4 are not affected if using the default SSL configuration. This is because the default cipher suite does not contain RSA export ciphers.

Resolution:

For Airlock 5.0

If "Allow low strength ciphers" or any custom defined cipher suite containing RSA export ciphers is configured on a virtual host, hotfix HF5003 is needed.

For Airlock 4.2.6.3 and 4.2.6.4

If "Allow low strength ciphers" or any custom defined cipher suite containing RSA export ciphers is configured on a virtual host, we recommend to disable RSA export ciphers by disabling "Allow low strength ciphers" or by removing the ciphers from custom defined cipher suites.

Otherwise no action is required.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

Does not affect back-end behind Airlock

Main menu

Navigation

User menu

You are here

Main menu

Search form

Navigation

User menu

You are here

SSL FREAK Attack