BEAST vs RC4 Ciphers vs PCI
This topic has been the cause for many debates internally here at Pure Hacking. I'll try and summarise the key points here that will form the basis for our recommendation.
- The BEAST vulnerability (CVE-2011-3389), has a CVSS score of 4.3. The recommendation was to prioritise RC4 ciphers over CBC ciphers to mitigate the issue.
- After BEAST, a vulnerability was discovered with RC4 ciphers (CVE-2013-2566) that has an associated CVSS score of 2.6.
- PCI Approved Scan Vendors will fail you if you have any vulnerabilities with a CVSS score of 4.0 or higher. This is spelled out on page 23 of the ASV program guide (https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf)
- To exploit BEAST you are actually exploiting the issue on the client side of the SSL connection, i.e. at the browser. Since the original release of BEAST, the vast majority of browsers have remediated this issue and therefore the real world risk associated to BEAST is lower and consequently the CVSS score of 4.3 really should be lowered, but it hasn't been.
Whilst PCI ASV's can technically overrule a CVSS score (albeit requiring some really good justification), I've never seen this happen in reality and therefore if BEAST is detected on your systems you will fail a PCI scan and you must remediate it.
Based on all the above, if you must be compliant to PCI, prioritising RC4 ciphers is the way to go. Nessus/Qualys scanners, and even SSL Labs will still flag the use of RC4 ciphers as an issue but the CVSS score with this will only be 2.6. A PCI ASV will allow a pass.
If your are NOT subject to PCI compliance requirements then it doesn't really matter either way. BEAST has been largely mitigated and there is no public exploit for the RC4 cipher issue, which has a low CVSS score anyway.
There is a way to get rid of both issues entirely, however it requires disabling various protocols and ciphers to the extent where you will probably prevent a good chunk of the user population from using the associated service/webapp. This is not recommended as the risk of business impact will be more significant than the risk of the BEAST and RC4 vulnerabilities.
- If you have to be PCI compliant, prioritise RC4 to get rid of BEAST and pass your ASV scans.
- If you don't have to be PCI compliant, there is nothing to be concerned with. Either way you will have one of two very low risk issues.
Until the situation with BEAST changes (in terms of the CVSS score), Pure Hacking will report it if detected.