Prevent the Bar Mitzvah attack on Virtual Services
Information
| Summary: |
This article will discuss how to prevent Bar Mitzvah attacks from connecting through Virtual Services (VSs) |
| Environment: |
Product: LoadMaster Version: Any Platform: Any Application: Any application that has a protocol that supports SSL. |
| Question/Problem Description: |
Our OWA redirect is vulnerable to the SSL Bar Mitzvah vulnerability. How do we fix this? |
| Steps to Reproduce: | Use an RC4 cipher as it connects to the VS. |
| Error Message: | |
| Defect Number: | |
| Enhancement Number: | |
| Cause: | RC4 ciphers are being used by the client. |
| Resolution: |
This can be prevented on the Virtual Service by navigating to Virtual Services > View/Modify Services > modify your desired VS. Expand SSL Properties > change the Cipher Set to "Default_NoRC4" or "BestPractices". A Custom Cipher Set can also be leveraged by clicking following the instructions in this article: https://support.kemptechnologies.com/hc/en-us/articles/360035631391-How-To-Create-Restore-Custom-Cipher-Sets |
| Workaround: | Locate the end user and prevent them from using RC4 ciphers. |
| Notes: |
Comments
Timo,
Yes, the "BestPractices" cipher set can be used as well. The article has been updated to reflect this option.
Timo Reindel
Can you recommend to use the "BestPractices" cipher set as well?