CVE-2013-2566: TLS/SSL Server Supports RC4 Cipher Algorithms

CVE ID

CVE-2013-2566

DESCRIPTION

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many singlebyte biases, which makes it easier for remote attackers to conduct plaintextrecovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

Risk: LOW

Complexity: High

The risk is so low that neither Red Hat nor Ubuntu intend to make a change for this issue. See detailed explanation below.

Unitrends summary

The exposure risk is so low that no change is needed.

Red Hat Response

The MITRE CVE dictionary describes this issue as: 
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many singlebyte biases, which makes it easier for remote attackers to conduct plaintextrecovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

Find out more about CVE-2013-2566 from the MITRE CVE dictionary and NIST NVD.

This flaw is related to the design of the RC4 protocol and not its implementation. More details and a possible work around is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=921947#c8. Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5 and 6.

Ubuntu Response

See http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2566.html

jdstrand: "At present, naive attacks need tens to hundreds of millions of TLS connections. Optimized attacks are not present yet. ... [and] we can't just disable RC4"
mdeslaur: "marking as ignored since there is no actionable item"

RESOLUTION

No action is required.

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us