CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2009-31

SSL and TLS protocols renegotiation vulnerability

Original Issue Date: November 27, 2009

Severity Rating: Medium

Affected Softwares

Multiple implementations of SSL and TLS protocols

Overview

A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTPS transaction.

Description

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are most widely recognized as the protocols that provide secure HTTP (HTTPS) for Internet transactions between Web browsers and Web servers. TLS/SSL can also be used for other application level protocols, such as File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP). TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over networks such as the World Wide Web.

A vulnerability has been identified in the current SSL (Version 3) and TLS (Version 1) protocols while handling TLS handshake re-negotiations. An attacker could exploit this vulnerability via man-in-the-middle techniques and injecting data into the beginning of the application protocol stream. This could lead to fragmentation of SSL transactions, giving attackers the opportunity to inject false commands or to execute HTTP transactions such as password resets into communications which are otherwise encrypted. This attack can bypass authentication and possibly launch further attacks against the victim.

NOTE:
• This issue does not allow attackers to decrypt encrypted data.
• Proof-of-Concept is available on Internet

Workaround

Implement anti-CSRF (Cross Site Request Forgery) features in web applications.
Use an IPS/IDS/Application firewall to catch recurrent HTTP request that are enclosed within each other.

Solution

Apply appropriate patches or fixes released by respective vendors at server and client level.

CVE Name
CVE-2009-3555

References

US-CERT
http://www.kb.cert.org/vuls/id/120541

ISS X FORCE
http://xforce.iss.net/xforce/xfdb/54158

SecurityFocus
http://www.securityfocus.com/bid/36935

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.