The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of TLS protocol

computer vulnerability alert CVE-2015-2808

TLS: RC4 decryption via Bar Mitzvah

Synthesis of the vulnerability

An attacker can use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Impacted products: DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Avamar, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Domino, Notes, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 27/03/2015.
Identifiers: 1450666, 1610582, 1647054, 1882708, 1883551, 1883553, 1902260, 1903541, 1960659, 1963275, 1967498, 523628, 7014463, 7022958, 7045736, 9010041, 9010044, Bar Mitzvah, BSA-2015-007, c04708650, c04767175, c04770140, c04772305, c04773119, c04773241, c04777195, c04777255, c04832246, c04926789, c05085988, c05336888, cpujan2018, cpuoct2017, CVE-2015-2808, DSA-2018-124, HPSBGN03350, HPSBGN03393, HPSBGN03399, HPSBGN03407, HPSBGN03414, HPSBGN03415, HPSBGN03580, HPSBHF03673, HPSBMU03345, HPSBMU03401, HPSBUX03435, HPSBUX03512, NTAP-20150715-0001, NTAP-20151028-0001, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SOL16864, SSRT102254, SSRT102977, SUSE-SU-2015:1073-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, VIGILANCE-VUL-16486, VN-2015-004.

Description of the vulnerability

During the initialization of a TLS session, the client and the server negotiate cryptographic algorithms. The RC4 algorithm can be chosen to encrypt data.

For some weak keys (one over 2^24), the Invariance Weakness can be used to predict the two LSB (Least Significant Bit) of the 100 first bytes encrypted with RC4. The first TLS message is "Finished" (36 bytes), thus an attacker can predict LSBs of 64 bytes.

An attacker can therefore use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 15037

SSL: revocation of CCA

Synthesis of the vulnerability

The Government of India Controller of Certifying Authorities certification authority emitted certificates to spoof several Google domains.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, SSL protocol.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 11/07/2014.
Identifiers: 2982792, VIGILANCE-VUL-15037.

Description of the vulnerability

The Government of India Controller of Certifying Authorities certification authority emitted certificates to spoof several Google domains (VIGILANCE-ACTU-4436).

It is thus recommended to delete this certification authority or to update the Certificate Trust List.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2013-3587

SSL, TLS: information disclosure via compression, BREACH

Synthesis of the vulnerability

An attacker can use several SSL/TLS compressed sessions, in order to obtain sensitive information from the server.
Impacted products: GAiA, CheckPoint IP Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, BIG-IP Hardware, TMOS, Fedora, SSL protocol.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 05/08/2013.
Identifiers: CVE-2013-3587, FEDORA-2015-8606, FEDORA-2015-9143, sk93971, SOL14634, VIGILANCE-VUL-13198, VU#987798.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11952 describes a vulnerability of SSL/TLS which uses the SSL/TLS compression. To protect against this vulnerability, SSL/TLS compression was disabled in most web browsers.

However, TLS/SSL servers can also transport data which uses another compression. For example, a web server can compress data it sends to its clients. A variant of the previous attack can thus still be exploited.

An attacker can therefore use several SSL/TLS compressed sessions, in order to obtain sensitive information from the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-2566

SSL/TLS: obtaining messages encrypted by RC4

Synthesis of the vulnerability

When an attacker has 2^30 RC4 encrypted messages with different keys, he can guess the clear text message.
Impacted products: DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Avamar, BIG-IP Hardware, TMOS, HP Switch, Opera, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 15/03/2013.
Identifiers: 523628, BID-58796, BSA-2015-007, c05336888, cpuapr2017, cpujan2018, cpuoct2016, cpuoct2017, CVE-2013-2566, DSA-2018-124, HPSBHF03673, SOL14638, VIGILANCE-VUL-12530.

Description of the vulnerability

A SSL/TLS session can negotiate different encryption algorithms.

The RC4 algorithm uses a continuous stream of bytes generated from the key. This stream if then combined (XOR) with the clear text message.

However, the generated stream is biased. A statistical analysis of million of encrypted messages shows this bias.

When an attacker has 2^30 (minimum 2^24) RC4 encrypted messages with different keys, he can therefore guess the clear text message. This vulnerability is hard to exploit because of the quantity of messages required to perform the attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-0169 CVE-2013-1619 CVE-2013-1620

TLS, DTLS: information disclosure in CBC mode, Lucky 13

Synthesis of the vulnerability

An attacker can inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session.
Impacted products: Bouncy Castle JCE, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, DB2 UDB, Tivoli Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Mandriva Linux, McAfee Email and Web Security, ePO, MySQL Enterprise, NetScreen Firewall, ScreenOS, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Opera, Java Oracle, Solaris, pfSense, SSL protocol, RHEL, JBoss EAP by Red Hat, Slackware, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 7.
Creation date: 05/02/2013.
Identifiers: 1639354, 1643316, 1672363, BID-57736, BID-57774, BID-57776, BID-57777, BID-57778, BID-57780, BID-57781, c03710522, c03883001, CERTA-2013-AVI-099, CERTA-2013-AVI-109, CERTA-2013-AVI-339, CERTA-2013-AVI-454, CERTA-2013-AVI-543, CERTA-2013-AVI-657, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2014-AVI-286, CVE-2013-0169, CVE-2013-1619, CVE-2013-1620, CVE-2013-1621, CVE-2013-1622-REJECT, CVE-2013-1623, CVE-2013-1624, DLA-1518-1, DSA-2621-1, DSA-2622-1, ESX400-201310001, ESX400-201310401-SG, ESX400-201310402-SG, ESX410-201307001, ESX410-201307401-SG, ESX410-201307403-SG, ESX410-201307404-SG, ESX410-201307405-SG, ESX410-201312001, ESX410-201312401-SG, ESX410-201312403-SG, ESXi410-201307001, ESXi410-201307401-SG, ESXi510-201401101-SG, FEDORA-2013-2110, FEDORA-2013-2128, FEDORA-2013-2764, FEDORA-2013-2793, FEDORA-2013-2813, FEDORA-2013-2834, FEDORA-2013-2892, FEDORA-2013-2929, FEDORA-2013-2984, FEDORA-2013-3079, FEDORA-2013-4403, FreeBSD-SA-13:03.openssl, GNUTLS-SA-2013-1, HPSBUX02856, HPSBUX02909, IC90385, IC90395, IC90396, IC90397, IC90660, IC93077, JSA10575, JSA10580, JSA10759, Lucky 13, MDVSA-2013:014, MDVSA-2013:018, MDVSA-2013:019, MDVSA-2013:040, MDVSA-2013:050, MDVSA-2013:052, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, openSUSE-SU-2013:0807-1, openSUSE-SU-2016:0640-1, RHSA-2013:0273-01, RHSA-2013:0274-01, RHSA-2013:0275-01, RHSA-2013:0531-01, RHSA-2013:0532-01, RHSA-2013:0587-01, RHSA-2013:0588-01, RHSA-2013:0636-01, RHSA-2013:0782-01, RHSA-2013:0783-01, RHSA-2013:0833-01, RHSA-2013:0834-02, RHSA-2013:0839-02, RHSA-2013:1135-01, RHSA-2013:1144-01, RHSA-2013:1181-01, RHSA-2013:1455-01, RHSA-2013:1456-01, RHSA-2014:0371-01, RHSA-2014:0372-01, RHSA-2014:0896-01, RHSA-2015:1009, SOL14190, SOL15630, SSA:2013-040-01, SSA:2013-042-01, SSA:2013-242-01, SSA:2013-242-03, SSA:2013-287-03, SSRT101104, SSRT101289, SUSE-SU-2013:0328-1, SUSE-SU-2014:0320-1, SUSE-SU-2014:0322-1, swg21633669, swg21638270, swg21639354, swg21640169, VIGILANCE-VUL-12374, VMSA-2013-0006.1, VMSA-2013-0007.1, VMSA-2013-0009, VMSA-2013-0009.1, VMSA-2013-0009.2, VMSA-2013-0009.3, VMSA-2013-0015.

Description of the vulnerability

The TLS protocol uses a block encryption algorithm. In CBC (Cipher Block Chaining) mode, the encryption depends on the previous block.

When an incorrect encrypted message is received, a fatal error message is sent to the sender. However, the duration of the generation of this error message depends on the number of valid bytes, used by a MAC hash.

An attacker can therefore inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session.

In order to guess a clear block, 2^23 TLS sessions are required. So, to exploit this vulnerability, the TLS client has to permanently open a new session, as soon as the previous one ended with a fatal error.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-4929

SSL, TLS: obtaining HTTP Cookies via Deflate, CRIME

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser, can use several SSL sessions compressed with Deflate in order to compute HTTP headers, such as cookies.
Impacted products: curl, Debian, Exim, Fedora, HP-UX, McAfee Email and Web Security, McAfee Email Gateway, Firefox, MySQL Enterprise, OpenSSL, openSUSE, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 14/09/2012.
Identifiers: BID-55704, c03734195, CRIME, CVE-2012-4929, DSA-2579-1, DSA-2626-1, DSA-2627-1, DSA-3253-1, FEDORA-2012-15194, FEDORA-2012-15203, FEDORA-2013-4403, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02866, openSUSE-SU-2012:1420-1, openSUSE-SU-2013:0143-1, openSUSE-SU-2013:0154-1, openSUSE-SU-2013:0157-1, openSUSE-SU-2013:1630-1, RHSA-2013:0587-01, RHSA-2013:0636-01, RHSA-2014:0416-01, SB10052, SSRT101139, SUSE-SU-2012:1428-1, VIGILANCE-VUL-11952.

Description of the vulnerability

The RFC 3749 adds the support for data compression, before encrypting them with SSL/TLS.

The Deflate compression algorithm replaces duplicate patterns by a reference. For example:
  hello mister hello madam
is compressed to:
  hello mister [reference] madam
So, the compression of a pattern already found is shorter than the compression of a pattern not yet seen. This difference in size thus indicates if the second pattern was already seen.

HTTP cookies are for example like:
  Cookie: secret=1234
If the attacker adds "Cookie: secret=1234" later in the HTTP body, the compressed string will be shorter than if he added "Cookie: secret=5678" in the body. This difference in size thus allow the cookie to be guessed, character by character, using a brute force.

An attacker, who can control HTTPS connections of victim's web browser, can therefore use several SSL sessions compressed with Deflate in order to compute HTTP headers, such as cookies.

This attack requires that the web browser supports the RFC 3749. This is not the case of Internet Explorer, Opera and Safari. However, Chrome and Firefox may be vulnerable (precise versions are not yet known).
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 11147

SSL: revocation of DigiCert Malaysia

Synthesis of the vulnerability

The DigiCert Malaysia intermediary certificate authority was revoked.
Impacted products: Debian, Fedora, Mandriva Linux, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Mobile, Windows Vista, Windows XP, Firefox, Thunderbird, openSUSE, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet server.
Creation date: 10/11/2011.
Identifiers: 2641690, CERTA-2003-AVI-008, DSA-2339-1, DSA-2341-1, DSA-2342-1, DSA-2343-1, FEDORA-2011-15586, MDVSA-2011:169, openSUSE-SU-2011:1241-1, RHSA-2011:1437-01, RHSA-2011:1440-01, RHSA-2011:1444-01, SUSE-SU-2011:1256-2, VIGILANCE-VUL-11147.

Description of the vulnerability

The DigiCert Malaysia (Digicert Sdn Bhd) intermediary certification authority was revoked, due to the issuance of 22 certificates with weak keys, and to several technical issues (VIGILANCE-ACTU-3168).

It is thus recommended to delete this certification authority.

This certification authority is under Entrust and Verizon (GTE CyberTrust). It is different from DigiCert Inc (http://www.digicert.com/).
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-3389 CVE-2012-1870

SSL, TLS: obtaining HTTPS Cookies, BEAST

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies.
Impacted products: Asterisk Open Source, IPSO, SecurePlatform, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Domino, Mandriva Linux, IIS, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, openSUSE, Opera, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, SSL protocol, RHEL, Sun AS, SUSE Linux Enterprise Desktop, SLES, Nessus.
Severity: 1/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/09/2011.
Identifiers: 2588513, 2643584, 2655992, AST-2016-001, BID-49778, BID-54304, c03122753, CERTA-2012-AVI-381, CERTFR-2016-AVI-046, CVE-2004-2770-REJECT, CVE-2011-3389, CVE-2012-1870, DSA-2368-1, DSA-2398-1, DSA-2398-2, FEDORA-2012-5916, FEDORA-2012-5924, FEDORA-2012-9135, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02730, javacpuoct2011, MDVSA-2012:058, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, MS12-006, MS12-049, openSUSE-SU-2012:0030-1, openSUSE-SU-2012:0063-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, openSUSE-SU-2012:0667-1, RHSA-2012:0034-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk74100, sk86440, SOL13400, SSRT100710, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, swg21568229, VIGILANCE-VUL-11014, VU#864643.

Description of the vulnerability

The SSL/TLS protocol supports CBC (Cipher Block Chaining) encryption: a clear block is "XORed" (operation Exclusive OR) with the last encrypted block, and the result is encrypted. This dependence between a block and its previous block was the subject of several theoretical studies since 2002, and led to the definition of TLS 1.1 in 2006, which uses a different algorithm.

The HTTPS "protocol", used by web browsers, encapsulates an HTTP session in a SSL/TLS session. An HTTP query is like:
  GET /abcdefg HTTP/1.0
  Headers (cookies)
  ...
This query is fragmented in blocks of 8 bytes, which are encrypted by CBC. The first block is thus "GET /abc".

An attacker can setup a malicious web site, and invite the victim to connect. This web site can request the victim's web browser to load the page "/abcdefg" of a site secured by SSL/TLS.

The attacker controls the size of the requested url (via "/abcdefg"), so he can place the first byte of headers at the end of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks follows a block which is fully known ("defg HTT"). The attacker can then capture the encrypted SSL/TLS session, and memorize the last encrypted block. This block is used as an initialization vector to compute an XOR between "defg HTT" (block 2) encrypted, and a guessed character located at the end of "P/1.1\r\n" (block 3). The result is reinjected by the attacker at the end of the HTTP query in clear text. He captures the resulting encrypted block, and if it is the same as the third encrypted block, then the guessed character was correct. The attacker repeats these queries as many times as necessary.

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can therefore use several SSL sessions in order to compute HTTP headers, such as cookies.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-1473

TLS, OpenSSL: overload via renegotiation

Synthesis of the vulnerability

A malicious client can request several renegotiations to a SSL/TLS server, in order to overload it.
Impacted products: Apache httpd, ProxySG par Blue Coat, SGOS by Blue Coat, Clearswift Email Gateway, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, McAfee NSP, OpenSSL, SSL protocol, Sophos XG Series, Squid, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 08/07/2011.
Identifiers: BID-48626, CERTA-2013-AVI-542, CVE-2011-1473, JSA10575, JSA10580, JSA10584, SA74, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-10823.

Description of the vulnerability

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use. The protocol allows for renegotiation at any time during the connection (for example if the client uses a certificate).

However, the renegotiation is a complex algorithm, which requires more resources on the server than on the client.

A malicious client can therefore request several renegotiations to a SSL/TLS server, in order to overload it.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about TLS protocol: