Guest

Preview Tool

Cisco Bug: CSCul12855 - CVE-2011-3389 - Mitigate the BEAST attack on web UI (Apache TCP/443)

Last Modified

Apr 30, 2020

Products (2)

  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco TelePresence Video Communication Server Model

Known Affected Releases

X7.2.1

Description (partial)



Symptom:

Cisco Video Communications Servers (VCS) enable a number of SSL ciphers by default. The default configuration in release X8.0 and X8.1 is: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!ADH:!aNULL. 

This means that suites that may be affected by issues such as the RC4 weakness (CVE-2013-2566), BEAST (CVE-2011-3389), or Lucky 13 (CVE-2013-0169) are enabled.  By default no GUI method is provided to allow the customization of these values to a customers security policy.



Conditions:

Cisco Video Communications Servers running a version of Cisco VCS software prior to X8.1.

Related Community Discussions

VCS encryption question
we need to verify what the VCS has enabled / disable as far as encryption. The VCS must have - DES encryption disabled. - TLSv1.0 disabled. - CBC encryption mode disabled. - RC4 hashing disabled. How do I go about confirming this?
Latest activity: Dec 09, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.