Windows Azure Beast Exploit

时间:2012-12-21 21:44:16

标签: azure

我有一个正在运行PCI兼容性扫描并获得以下内容的客户端:

BEAST (Browser Exploit Against SSL/TLS) Vulnerability
The SSL protocol encrypts data by using CBC mode with chained
initialization vectors. This allows an attacker, which is has gotten
access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via
a blockwise chosen-boundary attack (BCBA) in conjunction with
Javascript code that uses the HTML5 WebSocket API, the Java
URLConnection API, or the Silverlight WebClient API. This
vulnerability is more commonly referred to as Browser Exploit Against
SSL/TLS or "BEAST".
CVE: CVE-2011-3389
NVD: CVE-2011-3389
Bugtraq: 49778
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=665814,
http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslciphersuite,
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
Service: http
Evidence:
Cipher Suite: SSLv3 : DES-CBC3-SHA
Cipher Suite: SSLv3 : RC4-SHA
Cipher Suite: SSLv3 : RC4-MD5
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA
Cipher Suite: TLSv1 : RC4-SHA
Cipher Suite: TLSv1 : RC4-MD5

他们的网站托管在Windows Azure上;既然管理这些服务器有推荐的方法来堵塞这个漏洞吗?

1 个答案:

答案 0 :(得分:2)

你在Azure中运行的是什么?它是Web角色吗? Azure网站?您在IaaS模式下拥有自己的Windows服务器?

如果您正在运行Web角色,您运行的是最新的Windows操作系统吗? Microsoft于2012年4月在Web角色中修补了此问题。

http://msdn.microsoft.com/en-us/library/windowsazure/hh967599.aspx

如果您通过IaaS模式运行Windows Server,则自行负责修补服务器。