The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of SSL, TLS: obtaining HTTPS Cookies, BEAST

Synthesis of the vulnerability 

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies.
Impacted software: Asterisk Open Source, IPSO, SecurePlatform, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Domino by IBM, Mandriva Linux, IIS, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, openSUSE, openSUSE Leap, Opera, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, SSL protocol, RHEL, SIMATIC, Sun AS, SUSE Linux Enterprise Desktop, SLES, Nessus.
Severity of this computer vulnerability: 1/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/09/2011.
Références of this announce: 2588513, 2643584, 2655992, AST-2016-001, BID-49778, BID-54304, c03122753, CERTA-2012-AVI-381, CERTFR-2016-AVI-046, CERTFR-2019-AVI-311, CVE-2004-2770-REJECT, CVE-2011-3389, CVE-2012-1870, DSA-2368-1, DSA-2398-1, DSA-2398-2, FEDORA-2012-5916, FEDORA-2012-5924, FEDORA-2012-9135, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02730, javacpuoct2011, MDVSA-2012:058, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, MS12-006, MS12-049, openSUSE-SU-2012:0030-1, openSUSE-SU-2012:0063-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, openSUSE-SU-2012:0667-1, openSUSE-SU-2020:0086-1, RHSA-2012:0034-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk74100, sk86440, SOL13400, SSA-556833, SSRT100710, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, SUSE-SU-2020:0114-1, SUSE-SU-2020:0234-1, swg21568229, VIGILANCE-VUL-11014, VU#864643.

Description of the vulnerability 

The SSL/TLS protocol supports CBC (Cipher Block Chaining) encryption: a clear block is "XORed" (operation Exclusive OR) with the last encrypted block, and the result is encrypted. This dependence between a block and its previous block was the subject of several theoretical studies since 2002, and led to the definition of TLS 1.1 in 2006, which uses a different algorithm.

The HTTPS "protocol", used by web browsers, encapsulates an HTTP session in a SSL/TLS session. An HTTP query is like:
  GET /abcdefg HTTP/1.0
  Headers (cookies)
  ...
This query is fragmented in blocks of 8 bytes, which are encrypted by CBC. The first block is thus "GET /abc".

An attacker can setup a malicious web site, and invite the victim to connect. This web site can request the victim's web browser to load the page "/abcdefg" of a site secured by SSL/TLS.

The attacker controls the size of the requested url (via "/abcdefg"), so he can place the first byte of headers at the end of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks follows a block which is fully known ("defg HTT"). The attacker can then capture the encrypted SSL/TLS session, and memorize the last encrypted block. This block is used as an initialization vector to compute an XOR between "defg HTT" (block 2) encrypted, and a guessed character located at the end of "P/1.1\r\n" (block 3). The result is reinjected by the attacker at the end of the HTTP query in clear text. He captures the resulting encrypted block, and if it is the same as the third encrypted block, then the guessed character was correct. The attacker repeats these queries as many times as necessary.

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can therefore use several SSL sessions in order to compute HTTP headers, such as cookies.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness impacts software or systems such as Asterisk Open Source, IPSO, SecurePlatform, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Domino by IBM, Mandriva Linux, IIS, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, openSUSE, openSUSE Leap, Opera, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, SSL protocol, RHEL, SIMATIC, Sun AS, SUSE Linux Enterprise Desktop, SLES, Nessus.

Our Vigil@nce team determined that the severity of this vulnerability note is low.

The trust level is of type confirmed by the editor, with an origin of internet server.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this cybersecurity threat.

Solutions for this threat 

SSL, TLS: workaround for HTTPS Cookie.
A workaround is to enable TLS 1.1 or 1.2.
However only a few web servers currently support it:
 - Apache httpd + GNUTLS (OpenSSL does not support it)
 - IIS 7.5 (see VIGILANCE-SOL-24290)
However only a few web browsers currently support it:
 - Internet Explorer 8 or 9 (see VIGILANCE-SOL-24290)
 - Opera 10, 11
Another workaround is to disable Cipher Suites using the CBC mode. However, remaining Cipher Suites (RC4) are sometimes seen as weak.
For applications, a workaround is to always start SSL sessions by sending only one data byte, which will padded by seven bytes of MAC (before being encrypted).

Windows: patch for SSL/TLS.
A patch is available:
Windows XP SP3
  http://www.microsoft.com/downloads/details.aspx?familyid=fb0360b1-254c-4ecb-a36a-807cabfec1ab
Windows XP x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=afe6b34d-21b1-4dfa-afa6-2c5c2a678e9e
  http://www.microsoft.com/downloads/details.aspx?familyid=986f1156-0190-48c2-9f39-29cacb91f0f9
Windows 2003 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=e2c503a5-3f15-4a77-9a05-9ea0fbaf4503
  http://www.microsoft.com/downloads/details.aspx?familyid=c23e7604-d489-4836-8b54-3b2b3d6a365c
Windows 2003 x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=2ad34496-40af-40cb-9f85-5d3c31543211
  http://www.microsoft.com/downloads/details.aspx?familyid=2f36e991-4e1a-4b8c-8cfb-e7f20d97cf0b
Windows 2003 Itanium SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=56deb935-9226-49f8-b705-edb3d662d8aa
  http://www.microsoft.com/downloads/details.aspx?familyid=2d72cf5a-cca7-4341-b862-017e3f34a3c9
Windows Vista SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=f9269bd6-8c4f-476e-8481-fc0de52a22e6
Windows Vista x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=0403c753-d4fa-4e3d-a61b-7f816f5c352b
Windows Server 2008 32-bit Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=2fe2f398-433f-4338-a273-813185b43ea8
Windows Server 2008 x64 Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=f54ac30d-8e41-4df9-bd43-db6742a24d4c
Windows Server 2008 Itanium Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=3979db3b-4961-4df8-84a4-1f26672b127c
Windows 7 for 32-bit Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=0f433f2c-c61d-461d-af9c-0145af4b72ab
Windows 7 for x64 Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=0839fec0-b6a7-4e47-9da3-2caef44a7df4
Windows Server 2008 R2 x64 Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=34542a5a-88df-4a07-b1ed-d4c845502cd8
Windows Server 2008 R2 Itanium Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=fe661936-06e1-45d3-89f6-1093504496a7
The Microsoft announce indicates workarounds.

Windows, IE, IIS: workarounds for HTTPS Cookie.
A workaround is to:
 - prioritize the RC4 algorithm
    http://msdn.microsoft.com/en-us/library/bb870930%28v=VS.85%29.aspx
 - enable TLS 1.1 or 1.2 in Internet Explorer on Windows 7 or 2008 R2
    http://support.microsoft.com/kb/2588513
 - enable TLS 1.1 on servers on Windows 7 or 2008 R2
    http://support.microsoft.com/kb/2588513
 - disable CBC
    http://support.microsoft.com/kb/245030
 - etc.

Opera: version 11.51.
The version 11.51 is corrected:
  http://www.opera.com/

Java JDK, JRE: version 7 Update 1.
The version 7 Update 1 is corrected:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java JDK, JRE: version 6 Update 29.
The version 6 Update 29 is corrected:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java JDK, JRE: version 5.0 Update 32.
The version 5.0 Update 32 is corrected:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

Java SDK, JRE: version 1.4.2_34.
The version 1.4.2_34 is corrected:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-142120.html

F5 BIG-IP: workaround for BEAST.
The F5 announce indicates workarounds.

Nessus: version 5.0.1.
The version 5.0.1 is corrected:
  http://www.nessus.org/download/

Asterisk Open Source: patch for BEAST.
A patch for each branch is indicated in information sources.

Asterisk Open Source: versions 11.21.1, 13.7.1.
Versions 11.21.1, 13.7.1 are fixed:
  http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-11.21.1.tar.gz
  http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.7.1.tar.gz

Check Point: workaround for BEAST.
A workaround is to:
 - use TLS version 1.1 or 1.2
 - do not use the CBC algorithm

Debian: new curl packages.
New packages are available:
  curl 7.18.2-8lenny6
  curl 7.21.0-2.1+squeeze2

Debian: new lighttpd packages.
New packages are available:
  lighttpd 1.4.19+lenny3
  lighttpd 1.4.28-2+squeeze1

Fedora: new Pound packages.
New packages are available:
  Fedora 19: Pound 2.6-8.fc19
  Fedora 20: Pound 2.6-8.fc20

Fedora: new python packages.
New packages are available:
  python3-3.2.3-1.fc15
  python-2.7.3-1.fc16
  python3-3.2.3-2.fc16

HP-UX: JDK/JRE version 6.0.13.
The version 6.0.13 is corrected:
  http://www.hp.com/go/java

IBM Lotus Domino: workaround for HTTPS Cookie.
A workaround is to use RC4.

Mandriva 2010.1: new python packages.
New packages are available:
  python-2.6.5-2.5mdv2010.2

Mandriva 2011: new python packages.
New packages are available:
  python-2.7.2-2.2-mdv2011.0

Mandriva: new curl packages.
New packages are available:
  curl-7.20.1-2.2mdv2010.2
  curl-7.21.7-1.1-mdv2011.0

Mandriva: new python packages.
New packages are available:
  python-2.5.2-5.12mdvmes5.2

openSUSE Leap 15.1: new python3 packages (22/01/2020).
New packages are available:
  openSUSE Leap 15.1: python3 3.6.10-lp151.6.7.1

openSUSE: new curl packages.
New packages are available:
  curl-7.21.2-10.13.1

openSUSE: new mozilla-nss packages (05/01/2012).
New packages are available:
  openSUSE 11.3 : mozilla-nss-3.13.1-0.2.1
  openSUSE 11.4 : mozilla-nss-3.13.1-0.2.1

openSUSE: new python packages.
New packages are available:
  openSUSE 11.4 :
    python3-3.1.3-6.5
  openSUSE 12.1 :
    python-2.7.2-7.14.1
    python3-3.2.1-5.6.2

Oracle GlassFish, Sun Java System AS: patch for SSL/TLS.
A patch is available:
  GlassFish Enterprise Server 2.1.1
    SPARC: 128640-29 128643-29 128647-29
    X86: 128641-29 128644-29 128648-29
    Linux: 128642-29 128645-29 128649-29
    Windows: 128646-29 128650-29
    IBM-AIX: 137916-29
  Sun Java System Application Server 8.1
    SPARC: 119169-37 119173-37
    X86: 119170-37 119174-37
    Linux: 119171-37 119175-37
    Windows: 119172-37 119176-37
  Sun Java System Application Server 8.2
    SPARC: 124672-19 124675-18 124679-18
    X86: 124673-19 124676-18 124680-18
    Linux: 124674-19 124677-18 124681-18
    Windows: 124678-18 124682-18

Oracle iPlanet Web Proxy Server: patch for NSS.
A patch is available:
  SPARC: 145604-04
  X86: 145606-04
  Linux: 145605-04
  Windows: 145607-04

Oracle iPlanet Web Server: patch for SSL/TLS.
A patch is available:
Oracle iPlanet Web Server 7.0 :
  SPARC: 145843-05
  X86: 145844-05
  Linux: 145846-05 145845-05
  Windows: 145847-05
  IBM AIX: 145848-05
Java System Web Server 6.1 :
  SPARC: 145531-03, 145532-03
  X86: 145534-03
  Linux: 145533-03
  Windows: 145535-03
  AIX: 145536-03

Red Hat Satellite: new java-1.6.0-ibm packages.
New packages are available:
Red Hat Satellite (RHEL v.5):
  java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9
Red Hat Satellite (RHEL v.6):
  java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4

RHEL 4E, 5S, 6S: new java-1.6.0-ibm packages.
New packages are available:
  java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4
  java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5
  java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6

Siemens SIMATIC RF6XXR: solution for TLS.
The solution is indicated in information sources.

SUSE LE 15: new python3 packages (16/01/2020).
New packages are available:
  SUSE LE 15 RTM: python3 3.6.10-3.42.2
  SUSE LE 15 SP1: python3 3.6.10-3.42.2

SUSE LE 15: new python packages (27/01/2020).
New packages are available:
  SUSE LE 15 RTM: python 2.7.17-7.32.2
  SUSE LE 15 SP1: python 2.7.17-7.32.2

SUSE LE: new java-1_4_2-ibm packages.
New packages are available:
  SUSE LE 10 : java-1_4_2-ibm-1.4.2_sr13.11-0.10.1
  SUSE LE 11 : java-1_4_2-ibm-1.4.2_sr13.11-0.5.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 : java-1_6_0-ibm-1.6.0_sr10.0-0.8.1
  SUSE LE 11 : java-1_6_0-ibm-1.6.0_sr10.0-0.3.1

Windows: patch for TLS.
A patch is available:
Windows XP SP3
  http://www.microsoft.com/downloads/details.aspx?familyid=8324496f-aca4-4a86-833d-c22341e71cd3
Windows XP x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=5f268365-9c18-4fc7-b11e-b1f19c4a5a2a
Windows 2003 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=b13e2388-01f3-46bf-97b4-612e2778477a
Windows 2003 x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=a0bd0591-62f8-40d1-93fa-7f0afc4fc09c
Windows 2003 Itanium SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=b91df558-5446-4858-92af-50cfbab27ff5
Windows Vista SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=7286a6e2-9c31-493f-aae3-776f72e85503
Windows Vista x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=c62ec513-887c-4a42-a3cc-3e92631526ed
Windows Server 2008 32-bit SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=97030267-6b19-46ae-84ce-0bb1f91ab951
Windows Server 2008 x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=8a5f6e84-5e5b-42c3-a5b7-65defdb0665f
Windows Server 2008 Itanium SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=e886c5f4-7f38-4c90-905b-a682e6a8ffd0
Windows 7 for 32-bit Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=da706b4e-7c22-4929-96d3-f8b0fa10f043
Windows 7 for x64 Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=07518fb7-031f-4fa0-836c-8f33c247868b
Windows Server 2008 R2 x64 Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=c9ef728f-abef-4076-bb13-7488af471aa4
Windows Server 2008 R2 Itanium Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?familyid=49e182b5-4499-42a1-8180-9bb920e154cb
The Microsoft announce indicates workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.