MS-ISAC ADVISORY NUMBER:
2009-075 Updated

DATE(S) ISSUED:
11/9/2009
11/24/2009 - Updated

SUBJECT:
Vulnerability in TLS Protocol Session Renegotiation

ORIGINAL OVERVIEW:

A vulnerability exists in the Transport Layer Security (TLS) protocol that could allow attackers to intercept secure communications from unsuspecting users. TLS is widely used to provide secure communication over the Internet. If successfully exploited, this could result in information disclosure or credential theft of the affected user.

Please note: Proof of concept code has been published and is publically available. However, we have not received any reports of active exploitation of this vulnerability.

ORIGINAL SYSTEMS AFFECTED:

  • Apache Software Foundation Apache 2.2.8
  • Apache Software Foundation Apache 2.2.9
  • GNU GnuTLS 2.0.0 - 2.8.3
  • Microsoft IIS 7.0
  • Microsoft IIS 7.5
  • OpenSSL Project OpenSSL 0.9.8h and prior
  • MandrakeSoft Multi Network Firewall 2.0
  • MandrakeSoft Linux Mandrake 2009.0 - 2009.1
  • MandrakeSoft Enterprise Server 4.0 - 5.0
  • MandrakeSoft Corporate Server 3.0 - 5.0

November 24 - UPDATES SYSTEMS AFFECTED:

  • VooDoo cIRCLE 1.1.37 and prior
  • Ubuntu Linux
  • Sun Solaris
  • Sun OpenSolaris
  • Slackware Linux
  • S.U.S.E. Linux
  • RedHat Desktop
  • RedHat Enterprise Linux
  • OpenVPN OpenVPN 2.0.9 and prior
  • Debian Linux
  • Cisco Wireless LAN Solution Engine 1130 2.0.5 and prior
  • Cisco Wireless LAN Controllers 4.2.176.0 and prior
  • Cisco Wireless LAN Controller Module 0
  • Cisco Wireless LAN Control 6.0.182.0 and prior
  • Cisco Wireless Control System Software 4.0.96 and prior
  • Cisco Video Surveillance Operations Manager Software 0
  • Cisco Video Surveillance Media Server Software 0
  • Cisco Telepresence Recording Server 0
  • Cisco NX-OS 4.1(4) and prior
  • Cisco IOS XE 2.4.1 and prior
  • Cisco IOS 12.2.2 (25) SEB3 and prior
  • Cisco FWSM for Cisco Catalyst 6500/7600 Series 2.3.1 and prior
  • Cisco Digital Media Player 0
  • Cisco Digital Media Manager
  • Cisco CSS11500 Content Services Switch 8.10.2 .65 and prior
  • Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) 0
  • Cisco CiscoWorks Common Services 3.1.1 and prior
  • Cisco ASA 5500 Series Adaptive Security Appliance 7.1 and prior
  • Cisco ASA 5500 7.0.4 .3 and prior
  • Cisco Application Velocity System 3120 5.0.1 and prior
  • Cisco ACE Web Application Firewall 0
  • Cisco ACE Module A2(1.3) and prior
  • Cisco ACE GSS 4400 Series Global Site Selector 0
  • Cisco ACE Appliance 0
  • Cisco ACE 4710 Appliance A3(2.1)
  • Cisco ACE 4710 Appliance A1(8a) and prior
  • Cisco ACE 4700 Application Control Engine 0
  • Cisco Access Control Server (ACS) 0

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been discovered in the Transport Layer Security (TLS) protocol that could allow attackers to perform man-in-the-middle (MITM) attacks. TLS provides secure communication for a variety of applications over the Transport layer. This vulnerability is known to work with the Hypertext Transport Protocol (HTTP), but is believed to be applicable to any other protocol that utilizes TLS for security. In the example of HTTP, the attack is performed by intercepting the 'Client Hello' and forcing the current TLS session to renegotiate the cipher used to secure the communications between hosts. This request for a new cipher is not made over the encrypted channel, but made in plaintext. In addition, to save time, Session ID's can be reused for the renegotiation process, thereby permitting easier exploitation by the attacker.

Successful usage of a MITM attack to exploit this issue does not allow for the decryption of the data, but does allow for the attacker to inject specifically crafted packets in the context of the current session. Also, it is of note to state that once a successful MITM attack has been executed that tools do exist to decrypt the traffic being controlled by the attacking host.

Please note: Proof of concept code has been published and is publically available. However, we have not received any reports of active exploitation of this vulnerability.

Multiple vendors have released patches that address this vulnerability.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate vendor patches to vulnerable systems as soon as it becomes available after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • If you believe you have been affected by attacks exploiting this vulnerability, please contact us immediately.

ORIGINAL REFERENCES:
Secunia:
http://secunia.com/advisories/37291/(New Window)
http://secunia.com/advisories/37292/(New Window)

Security Focus:
http://www.securityfocus.com/bid/36935(New Window)

Sun:
http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during(New Window)

OpenSSL:
http://cvs.openssl.org/chngview?cn=18790(New Window)
http://www.openssl.org/source/openssl-0.9.8l.tar.gz(New Window)

MandrakeSoft:
http://www.mandriva.com/en/download/(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555(New Window)

November 24 - UPDATED REFERENCES:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml(New Window)

Sun:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1(New Window)

US-CERT:
http://www.kb.cert.org/vuls/id/120541(New Window)

VooDoo cIRCLE:
http://voodoo-circle.sourceforge.net/sa/sa-20091112-01.html(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.