CVE ID
CVE-2013-2566
DESCRIPTION
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many singlebyte biases, which makes it easier for remote attackers to conduct plaintextrecovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Risk: LOW
Complexity: High
The risk is so low that neither Red Hat nor Ubuntu intend to make a change for this issue. See detailed explanation below.
Unitrends summary
The exposure risk is so low that no change is needed.
Red Hat Response
The MITRE CVE dictionary describes this issue as:
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many singlebyte biases, which makes it easier for remote attackers to conduct plaintextrecovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Find out more about CVE-2013-2566 from the MITRE CVE dictionary and NIST NVD.
This flaw is related to the design of the RC4 protocol and not its implementation. More details and a possible work around is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=921947#c8. Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5 and 6.
Ubuntu Response
See http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2566.html
jdstrand: "At present, naive attacks need tens to hundreds of millions of TLS connections. Optimized attacks are not present yet. ... [and] we can't just disable RC4"
mdeslaur: "marking as ignored since there is no actionable item"
RESOLUTION
No action is required.