You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/11/17 11:25:19 UTC
DO NOT REPLY [Bug 48210] New: TLS / SSL Man-In-The-Middle
Renegotiation Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=48210
Summary: TLS / SSL Man-In-The-Middle Renegotiation
Vulnerability
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: blocker
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: alcol@hotmail.com
TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
TLS and its predecessor, SSL, are cryptographic protocols that provide security
for communications over IP data networks such as the Internet. An industry-wide
vulnerability exists in the TLS protocol that could impact many products that
uses any version of TLS and SSL. The vulnerability exists in how the protocol
handles session renegotiation and exposes users to a potential
man-in-the-middle attack.
TLS 1.0 (and higher) and SSL 3.0 (and higher), does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions, and possibly
other types of sessions protected by TLS or SSL, by sending an unauthenticated
request that is processed retroactively by a server in a post-renegotiation
context, related to a "plaintext injection" attack, aka the "Project Mogul"
issue.
Affected Version and Products include, the TLS protocol 1.0, and the SSL
protocol 3.0 and possibly earlier, as used in Microsoft Internet Information
Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier,
OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security
Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48210] TLS / SSL Man-In-The-Middle Renegotiation
Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48210
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk,
| |PatchAvailable
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Ruediger Pluem <rp...@apache.org> 2009-11-17 05:50:17 CET ---
See
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
and ongoing discusssion on dev list.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48210] TLS / SSL Man-In-The-Middle Renegotiation
Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48210
--- Comment #1 from Alberto Colosi <al...@hotmail.com> 2009-11-17 02:26:57 UTC ---
TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
CVE #:
CVE-2009-3555
Release Date:
November 4, 2009
Vulnerable OS:
Any
Vulnerable Application:
N/A
Risk Type:
Unauthorized Access
Summary:
TLS 1.0 and SSL 3.0 contain a man-in-the-middle renegotiation vulnerability.
Info:
TLS 1.0 (and higher) and SSL 3.0 (and higher) are vulnerable to
man-in-the-middle style attacks.
The flaw is specific to the renegotiation phase within the protocol. An
attacker can potentially inject arbitrary plaintext into an application's
protocol stream. This action can lead to numerous results, including attacks
on Certificate Authentication mechanisms. This issue affects multiple
platforms/vendors/applications which use the affected protocols.
General Fix:
Apply the appropriate patch from your vendor. Several vendors have released
httpd update packages.
The OpenSSL Repository also contains an update for OpenSSL.
It should be noted that initial patches simply mitigate the problem by
disabling renegotiation rather than solving the problem completely.
References:
BugTraq SecurityFocus BID 36935
CERT
CERT Vulnerability Note VU#120541
Cisco
Cisco Advisory ID: cisco-sa-20091109-tls
Foundstone
Faultline ID 7312
Mandriva
Mandriva Security Advisory MDVSA-2009:295
OAR
MSS-OAR-E01-2009:3405.1
MSS-OAR-E01-2009:3456.1
MSS-OAR-E01-2009:3457.1
MSS-OAR-E01-2009:3458.1
MSS-OAR-E01-2009:3464.1
Other
OpenSSL CVS Repository Check-in 18790
Citrix Document ID: CTX123359
RedHat
Red Hat Security Advisory RHSA-2009-1579
Red Hat Security Advisory RHSA-2009-1580
XForce
XForce tls-renegotiation-weak-security (54158)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org