SOLVED Beast Attack Patch

patrolg

New Member
Joined
Jan 23, 2010
Messages
3
Reaction score
0
Not sure if the latest update-fixes corrected this..
Was victim of attacks that uses TLSv1 via SSL exploitation.
It cost me dearly!!! The attacker virtually read my configuration of my registration trunk and made hundredS of dollars of long distance
Seem the remedy is located here
http://serverkb.co.uk/wiki/CentOS
Search for Beast Attack
Also it may be well too to apply SSL CRIME attack at the same time

Took me a little while to figure how they access my box when virtually i close almost all port to the external world.
 

Brian Simmons

Active Member
Joined
May 22, 2013
Messages
166
Reaction score
35
Thanks for the information. My server was unprotected against both attacks, but I was able to secure them using the information in the link from Patrolg's original post.
 

Brian Simmons

Active Member
Joined
May 22, 2013
Messages
166
Reaction score
35
First I did this:

Edit the/etc/sysconfig/httpdfile and add this line to it:
Code:
export OPENSSL_NO_DEFAULT_ZLIB=1
Then restart Apache:
Code:
service httpd restart
That seemed to fix the Crime vulnerability, but the BEAST was still unprotected - the same as your results.

So looking at the information a little further, I found this link which gave me the rest of the directions I followed. http://serverfault.com/questions/415112/fixing-beast-vulnerability-on-apache-2-0-running-on-rhel-4

Add the following four lines to your ssl.conf files:

Code:
SSLHonorCipherOrder
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite RC4-SHA:HIGH:!MD5:!aNULL:!ADH
SSLInsecureRenegotiation off

My ssl.conf file already had several of these lines (like the SSLCipherSuite line and a SLProtocol line) which I commented out so as to not duplicate it with the new code. . But now when I run the test I pass both the Crime and Beast tests.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Using Brian Simmons tips above, here's what works...

nano -w /etc/httpd/conf.d/ssl.conf

# change SSL Protocol support section by commenting out existing stuff and add:
Code:
SSLHonorCipherOrder On
SSLProtocol -all +TLSv1 +SSLv3
SSLInsecureRenegotiation off

# change SSL cipher suite section by commenting out the SSLCipherSuite line and substitute:
Code:
SSLCipherSuite RC4-SHA:HIGH:!MD5:!aNULL:!EDH:!ADH

And then:

Code:
echo "export OPENSSL_NO_DEFAULT_ZLIB=1" >> /etc/sysconfig/httpd
service httpd restart

Run the test:
Code:
java -jar TestSSLServer.jar 192.168.0.181 443

You should get results similar to this:
Code:
Supported versions: SSLv3 TLSv1.0
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
    RSA_WITH_RC4_128_SHA
    RSA_WITH_3DES_EDE_CBC_SHA
    RSA_WITH_AES_128_CBC_SHA
    RSA_WITH_AES_256_CBC_SHA
    RSA_WITH_CAMELLIA_128_CBC_SHA
    RSA_WITH_CAMELLIA_256_CBC_SHA
  (TLSv1.0: idem)
----------------------
Server certificate(s):
  70858a0123456788427d512345678ea29054e23f: [email protected], CN=pbx.local, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
----------------------
Minimal encryption strength:    strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
And here's the script that does it all...
Code:
cd /etc/httpd/conf.d
mv ssl.conf ssl.conf.old
wget http://pbxinaflash.com/ssl.conf.tar.gz
tar zxvf ssl.conf.tar.gz
rm ssl.conf.tar.gz
echo "export OPENSSL_NO_DEFAULT_ZLIB=1" >> /etc/sysconfig/httpd
service httpd restart
cd /root
wget http://www.bolet.org/TestSSLServer/TestSSLServer.jar
java -jar TestSSLServer.jar localhost 443
 

dhatz

New Member
Joined
May 26, 2013
Messages
10
Reaction score
1
Was victim of attacks that uses TLSv1 via SSL exploitation.
Took me a little while to figure how they access my box when virtually i close almost all port to the external world.


Thanks for the feedback.

Have you actually found evidence that it was indeed a BEAST attack, or did you conclude that with deductive reasoning ("reductio ad absurdum", "εις άτοπον απαγωγή") after having excluded everything else ?
 

Brian Simmons

Active Member
Joined
May 22, 2013
Messages
166
Reaction score
35
Thanks Patrolg for bringing this vulnerability to light (I wish it was under better circumstances) and thanks to Ward for creating an easy process to fix your system.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
And thanks to Brian for documenting what actually solved the problem.
 

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
I will roll this out via update-fixes and all new installs will have it in place. This will take a few days however as we are in the middle of MASSIVE upgrades to our infrastructure plus we are on the cusp of a new ISO release that deals with other security problems.


Tom
 

rinse78

New Member
Joined
Nov 12, 2008
Messages
3
Reaction score
0
These instructions worked great except for the fact that my server processes anything with a ".conf" extension. So, it also processed ssl.old.conf.
The following command should work better and prevent httpd from processing:
Code:
mv ssl.conf ssl.conf.old
 
Joined
May 22, 2013
Messages
301
Reaction score
44
Does any of this affect Raspberry Pi? I'm guessing not as it's CentOS but would like to be sure.
 

dhatz

New Member
Joined
May 26, 2013
Messages
10
Reaction score
1
It potentially affects any secure (SSL/TLS) webserver. You can simply run the aforementioned java sw to check for yourself. Btw the default configuration of Debian 6.x (squeeze) is also "vulnerable".

As I asked above, I'd be most interested to know how the OP concluded that his Asterisk PBX's compromise was due to a BEAST attack. I'm not saying it's not possible, but it'd mean that (some) cybercriminals have taken this to whole different level ...
 

patrolg

New Member
Joined
Jan 23, 2010
Messages
3
Reaction score
0
Thanks for the feedback.

Have you actually found evidence that it was indeed a BEAST attack, or did you conclude that with deductive reasoning ("reductio ad absurdum", "εις άτοπον απαγωγή") after having excluded everything else ?

VAR/LOGS/HTTPD/SSL_ACCESS_LOG
example listed
184.22.234.58 - - [05/May/2013:10:18:51 -0400] "GET /admin/config.php HTTP/1.0" 401 481
208.80.194.127 - - [02/Jun/2013:12:23:56 -0400] "GET / HTTP/1.0" 200 9204
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Unless I'm missing something, the SSL vulnerabilities only expose you to possible man-in-the-middle exploits where data could be snooped in-transit. Don't see how that applies here, unless you are regularly accessing your PBX admin site over the Internet and someone is capturing packets in between.
 

miguel

Member
Joined
May 22, 2013
Messages
276
Reaction score
8
Updtae-fixes has added this patch but i have a problem it failed installing on my system :

Purple, 2.06.2
Asterisk 1.8.22.0

Anybody could explin this? Maybe post a fix.

Thank you.

MN
 

merk

Guru
Joined
Sep 5, 2008
Messages
66
Reaction score
1
Updtae-fixes has added this patch but i have a problem it failed installing on my system :

Purple, 2.06.2
Asterisk 1.8.22.0

Anybody could explin this? Maybe post a fix.

Thank you.

MN

Same, anyone have any ideas?

EDIT - Following Wards guide above manually seems to have worked, it says protected
 

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
How long is a piece of rope?

Really guys you need to provide a little more detail than "broke - fix it" So what do the logs say? /var/log/update-fixes.log? What did you see on screen? More info is the only way this will ever be fixed.


Tom
 

miguel

Member
Joined
May 22, 2013
Messages
276
Reaction score
8
I can confirm the script ward posted works great but the update-fixes just gets an error at last and does not installs it, one question how does this helps?
 

Members online

No members online now.

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top