|| Hotline : 800 2378 ||  To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu ||  To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||
    Constituency
    Authority
    Vol. 2, Feb 2012
    Vol. 1, Oct 2011
    World CERTs
    Email Abuse
 
 
Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University
 
 
 
 
 
 
 
 
 
 
 
 


   
 

CERT-MU AD-2009-17

SSL and TLS protocols renegotiation vulnerability

Original issue date: 09 December, 2009

Overview

A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTPS transaction.

Description

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are most widely recognized as the protocols that provide secure HTTP (HTTPS) for Internet transactions between Web browsers and Web servers. TLS/SSL can also be used for other application level protocols, such as File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP). TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over networks such as the World Wide Web.

A vulnerability has been identified in the current SSL (Version 3) and TLS (Version 1) protocols while handling TLS handshake re-negotiations. An attacker could exploit this vulnerability via man-in-the-middle techniques and injecting data into the beginning of the application protocol stream. This could lead to fragmentation of SSL transactions, giving attackers the opportunity to inject false commands or to execute HTTP transactions such as password resets into communications which are otherwise encrypted. This attack can bypass authentication and possibly launch further attacks against the victim.

Note

  • This issue does not allow attackers to decrypt encrypted data.
  • Proof-of-Concept is available on Internet

Workaround

  • Implement anti-CSRF (Cross Site Request Forgery) features in web applications.
  • Use an IPS/IDS/Application firewall to catch recurrent HTTP request that are enclosed within each other.
Software Affected

  • Multiple implementations of SSL and TLS protocols

Impact

Severity Rating: High

Solution

Apply appropriate patches or fixes released by respective vendors at server and client level.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

SUN
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1

FREEBSD
http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc

HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
objectID=c01945686

IBM ISS
http://www.iss.net/threats/352.html

REDHAT
https://rhn.redhat.com/errata/RHSA-2009-1579.html

DEBIAN
http://www.debian.org/security/2009/dsa-1934

SUSE
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html

CVE Name

CVE-2009-3555

References

US-CERT
http://www.kb.cert.org/vuls/id/120541

ISS X FORCE
http://xforce.iss.net/xforce/xfdb/54158

SecurityFocus
http://www.securityfocus.com/bid/36935

IETF
http://www.ietf.org/mail-archive/web/tls/current/msg03942.html

JUNIPER NET
http://forums.juniper.net/t5/Networking-Now/Transport- Security-Layer-TLS-Man-In-The-Middle-Vulnerability/ba-p/29671;jsessionid=D50ECE971FB149421F0F2AB60C5B3AAC

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2009-143.htm

 
 
News & Events
Safer Internet Day 2012
Computer Security Day 2011
Workshop on Cloud Security
Workshop on Mobile Security
Certificate Award Ceremony for Trainings in Information Security Management
  more...
 
Virus Alerts
RSS Feed
Subscribe Mailing List
 
 
 

Last Updated 20-Jul-2011
Disclaimer Maintained & Hosted by NCB
This site is best viewed in 1024 x 768 resolution. Internet Explorer 6.0 +
09-Jul-2011