Bug 809908 (CVE-2013-2566) - VUL-1: CVE-2013-2566: RC4: new weakness discovered
Summary: VUL-1: CVE-2013-2566: RC4: new weakness discovered
Status: RESOLVED FIXED
Alias: CVE-2013-2566
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2013-2566:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-18 08:55 UTC by Marcus Meissner
Modified: 2019-10-24 13:33 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-03-18 08:55:37 UTC 
via CVE DB and Dan Bernstein:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. 


    MISC:http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

    MISC:http://cr.yp.to/talks/2013.03.12/slides.pdf

    MISC:http://www.isg.rhul.ac.uk/tls/
Comment 1 Swamp Workflow Management 2013-03-18 23:01:24 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-09-04 11:01:33 UTC 
we are phasing out RC4, moving towards TLS 1.2 etc.
Comment 3 Zhigang Gao 2016-07-28 06:17:28 UTC 
Customer question:
Does this CVE affect suse11sp1? 
Does this CVE affect suse11sp3?
Comment 4 Marcus Meissner 2016-07-28 08:01:13 UTC 
Yes.
Comment 5 Marcus Meissner 2016-10-13 06:29:13 UTC 
RC4 can be disabled in most services by sup[plying !RC4 in the cipher list.
Comment 6 Zhigang Gao 2017-01-11 08:26:25 UTC 
(In reply to Marcus Meissner from comment #5)
> RC4 can be disabled in most services by sup[plying !RC4 in the cipher list.

Hi:
    May I know which config file should I modify ?
    Customer want to get a guide to "disable RC4".
Comment 7 Marcus Meissner 2017-01-23 16:27:53 UTC 
It depends on the service, all services have separate cipher configurations
in their configuration files.
Comment 8 Robert Frohl 2019-10-24 13:33:52 UTC 
resolved