SUMMARY
The Unitrends system is not vulnerable to attacks from the BEAST vulnerability.
CVE ID
CVE-2011-3389
DESCRIPTION
The SSL protocol, as used in certain configurations, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plain-text HTTP headers via a block-wise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
The attack uses web browser extensions to exploit a weakness in SSLv3/TLSv1.0 cipher-block chaining (CBC), allowing a man-in-the-middle attacker to recover certain session information, such as cookie data, from what should be a secure connection.
RESOLUTION
Unitrends assessment: No Risk
The Unitrends security updates disable TLSv1.0 and SSLv3. For the 3 attack methods: No Red Hat or CentOS version is vulnerable to the WebSockets method, the Unitrends software does not include Java applets, and Silverlight is not supported.