Think you have a false positive on this rule?

Sid 1-37025

Message

POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt

Summary

This event is generated when a weak SSL/TLS RC4 cipher suite is detected.

Impact

Potential Corporate Privacy Violation

CVE-2015-2808:

CVSS base score 4.3

CVSS impact score 2.9

CVSS exploitability score 8.6

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Detailed information

CVE-2015-2808: The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Affected systems

  • apple safari *
  • google chrome -
  • ibm websphereapplicationserver *
  • jboss jbossenterpriseapplication_server *
  • microsoft ie *
  • microsoft iis *
  • mozilla firefox *
  • opera opera_browser -
  • oracle glassfish *
  • sun glassfishenterpriseserver *

Ease of attack

CVE-2015-2808:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

None Known

False negatives

None Known

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • osvdb.org/show/osvdb/117855