Ask the Community
Groups
CVE-2013-2566: TLS/SSL Server Supports RC4 Cipher Algorithms - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="cve-id"><strong>CVE ID</strong></h3> <p>CVE-2013-2566</p> <h3 data-id="description"><strong>DESCRIPTION</strong></h3> <p></p> <p>The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many singlebyte biases, which makes it easier for remote attackers to conduct plaintextrecovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.<br><br>Risk: LOW<br><br>Complexity: High<br><br>The risk is so low that neither Red Hat nor Ubuntu intend to make a change for this issue. See detailed explanation below.</p> <h3 data-id="unitrends-summary">Unitrends summary</h3> <p>The exposure risk is so low that no change is needed.</p> <h3 data-id="red-hat-response">Red Hat Response</h3> <p>The MITRE CVE dictionary describes this issue as: <br>The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many singlebyte biases, which makes it easier for remote attackers to conduct plaintextrecovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.<br><br>Find out more about CVE-2013-2566 from the MITRE CVE dictionary and NIST NVD.<br><br>This flaw is related to the design of the RC4 protocol and not its implementation. More details and a possible work around is mentioned in <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D921947%23c8">https://bugzilla.redhat.com/show_bug.cgi?id=921947#c8</a>. Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5 and 6.</p> <h3 data-id="ubuntu-response">Ubuntu Response</h3> <p>See <a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fpeople.canonical.com%2F%7Eubuntu-security%2Fcve%2F2013%2FCVE-2013-2566.html">http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2566.html</a></p> <p>jdstrand: "<i>At present, naive attacks need tens to hundreds of millions of TLS connections. Optimized attacks are not present yet. ... [and] we can't just disable RC4</i>"<br>mdeslaur: "<i>marking as ignored since there is no actionable item</i>"</p> <h3 data-id="resolution"><strong>RESOLUTION</strong></h3> <p>No action is required.</p> <h3 data-id="link-to-advisories"><strong>LINK TO ADVISORIES</strong></h3> <p></p> <ul><li><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2FCVE-2013-2566">https://access.redhat.com/security/cve/CVE-2013-2566</a></li></ul> </article> </main>