Description

The FREAK attack is a SSL/TLS vulnerability that allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use 'export-grade' cryptography, which can then be decrypted or altered. Websites that support RSA export cipher suites are at risk to having HTTPS connections intercepted.

Remediation

Reconfigure the affected SSL/TLS server to disable support for any export suites. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers.

References

Attack of the week: FREAK (or 'factoring the NSA for fun and profit')

Security/Server Side TLS

Mozilla SSL Configuration Generator

Related Vulnerabilities

Overly long session timeout in servlet configuration

Joomla Debug Console enabled

GraphQL Non-JSON Queries over POST: Potential CSRF Vulnerability

Spring Misconfiguration: HTML Escaping disabled

Docker Registry API is accessible without authentication

Severity

Medium

Classification

CVE-2015-0204 CWE-310 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Weak Crypto