Executive Summary

Summary
Title SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes
Informations
NameVU#864643First vendor Publication2011-09-27
VendorVU-CERTLast vendor Modification2011-12-08
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#864643

SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes

Overview

A vulnerability in the specification of the SSL 3.0 and TLS 1.0 protocols could allow an attacker to decrypt encrypted traffic.

I. Description

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network application protocols such as HTTP, IMAP, POP3, LDAP, SMTP, and others. Several different versions of the SSL and TLS protocols have been standardized and are in widespread use. These protocols support the use of both block-based and stream-based ciphers.

A vulnerability in the way the SSL 3.0 and TLS 1.0 protocols select the initialization vector (IV) when operating in cipher-block chaining (CBC) modes allows an attacker to perform a chosen-plaintext attack on encrypted traffic. This vulnerability has been addressed in the specification for the TLS 1.1 and TLS 1.2 protocols.

While this vulnerability exists in the underlying specification of the affected protocols, a practical attack called BEAST has been demonstrated in the context of a web browser and the use of the HTTPS protocol. Because of the software functionality available to an attacker in this environment, it represents the most likely attack vector and the most significant risk for affected users. An effective BEAST attack appears to require a cross-domain vulnerability that allows the attacker to issue specially crafted HTTPS requests. A blog post by Thái Duong discusses "...a way to bypass the same-origin policy (SOP)..." using a Java applet.

II. Impact

An attacker with the ability to pose as a man-in-the-middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS-encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).

III. Solution

We are currently unaware of a practical solution to this problem.

Workarounds

Some vendors have published specific mitigation advice for the attacks related to this issues. Please see the Vendor Information section of this document for more information.

The following general workarounds can be effective in mitigating this issue:

  • Prioritize the use of the RC4 algorithm over block ciphers in server software
    Note that this workaround is not feasible to implement on systems that require FIPS-140 compliance since RC4 is not a FIPS-approved cryptographic algorithm.
  • Enable support for TLS 1.1 and/or TLS 1.2 in the web browser
  • Enable support for TLS 1.1 in server software
    Note that both the web servers and the client web browser must support TLS 1.1 or TLS 1.2 for these workarounds to be effective. The session will fallback to an earlier version of the TLS or SSL protocol in the event that either is incompatible with TLS 1.1 or TLS 1.2.

Vendor Information

VendorStatusDate NotifiedDate Updated
Apple Inc.Unknown2011-09-27
GnuTLSUnknown2011-09-27
GoogleAffected2011-09-27
Microsoft CorporationAffected2011-09-27
MozillaAffected2011-09-28
OpenSSLUnknown2011-09-27
OperaAffected2011-12-08

References

http://www.openssl.org/~bodo/tls-cbc.txt
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
http//www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vu...
http://vnhacker.blogspot.com/2011/09/beast.html
https://blog.torproject.org/blog/tor-and-beast-ssl-attack
http//blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-securit...
http//blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-se...
http://src.chromium.org/viewvc/chrome?view=rev&revision=97269
https://bugzilla.mozilla.org/show_bug.cgi?id=665814
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://www.ekoparty.org/2011/juliano-rizzo.php

Credit

Thanks to Thái Duong working with Matasano and Juliano Rizzo of Netifera for reporting the practical attack against this vulnerability. Wei Dai and Bodo Möller identified the underlying flaw in the context of SSL and TLS.

This document was written by Chad R Dougherty.

Other Information

Date Public:2002-02-08
Date First Published:2011-09-27
Date Last Updated:2011-12-08
CERT Advisory:
CVE-ID(s):CVE-2011-3389
NVD-ID(s):CVE-2011-3389
US-CERT Technical Alerts:
Severity Metric:3.37
Document Revision:36

Original Source

Url : http://www.kb.cert.org/vuls/id/864643

CWE : Common Weakness Enumeration

idName
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19673
 
Oval ID: oval:org.mitre.oval:def:19673
Title: HP-UX Running Java JRE and JDK, Remote Denial of Service (DoS), Unauthorized Modification and Disclosure of Information
Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family: unix Class: vulnerability
Reference(s): CVE-2011-3389
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15241
 
Oval ID: oval:org.mitre.oval:def:15241
Title: DSA-2368-1 lighttpd -- multiple
Description: Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint. CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions. CVE-2011-3389 When using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called "BEAST" attack allows man-in-the-middle attackers to obtain plaintext HTTP traffic via a blockwise chosen-boundary attack on an HTTPS session. Technically this is no lighttpd vulnerability. However, lighttpd offers a workaround to mitigate this problem by providing a possibility to disable CBC ciphers. This updates includes this option by default. System administrators are advised to read the NEWS file of this update.
Family: unix Class: patch
Reference(s): DSA-2368-1
CVE-2011-4362
CVE-2011-3389
Version: 7
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): lighttpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14752
 
Oval ID: oval:org.mitre.oval:def:14752
Title: SSL and TLS Protocols Vulnerability
Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3389
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows 7
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1
Application1
Application1
Application1
Os1

OpenVAS Exploits

DateDescription
2012-10-19Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-16351
File : nvt/gb_fedora_2012_16351_java-1.6.0-openjdk_fc16.nasl
2012-10-19Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-16351
File : nvt/gb_fedora_2012_16351_java-1.7.0-openjdk_fc16.nasl
2012-09-25Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2012-004)
File : nvt/gb_macosx_su12-004.nasl
2012-09-22Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-13127
File : nvt/gb_fedora_2012_13127_java-1.6.0-openjdk_fc16.nasl
2012-09-04Name : Mandriva Update for fetchmail MDVSA-2012:149 (fetchmail)
File : nvt/gb_mandriva_MDVSA_2012_149.nasl
2012-09-04Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-13138
File : nvt/gb_fedora_2012_13138_java-1.7.0-openjdk_fc16.nasl
2012-08-30Name : FreeBSD Ports: fetchmail
File : nvt/freebsd_fetchmail16.nasl
2012-08-30Name : Fedora Update for python3 FEDORA-2012-5785
File : nvt/gb_fedora_2012_5785_python3_fc17.nasl
2012-08-30Name : Fedora Update for python-docs FEDORA-2012-5892
File : nvt/gb_fedora_2012_5892_python-docs_fc17.nasl
2012-08-30Name : Fedora Update for python FEDORA-2012-5892
File : nvt/gb_fedora_2012_5892_python_fc17.nasl
2012-08-03Name : Mandriva Update for curl MDVSA-2012:058 (curl)
File : nvt/gb_mandriva_MDVSA_2012_058.nasl
2012-07-30Name : CentOS Update for firefox CESA-2012:1088 centos5
File : nvt/gb_CESA-2012_1088_firefox_centos5.nasl
2012-07-30Name : CentOS Update for firefox CESA-2012:1088 centos6
File : nvt/gb_CESA-2012_1088_firefox_centos6.nasl
2012-07-30Name : CentOS Update for thunderbird CESA-2012:1089 centos5
File : nvt/gb_CESA-2012_1089_thunderbird_centos5.nasl
2012-07-30Name : CentOS Update for thunderbird CESA-2012:1089 centos6
File : nvt/gb_CESA-2012_1089_thunderbird_centos6.nasl
2012-07-30Name : CentOS Update for java CESA-2011:1380 centos5 x86_64
File : nvt/gb_CESA-2011_1380_java_centos5_x86_64.nasl
2012-07-19Name : RedHat Update for firefox RHSA-2012:1088-01
File : nvt/gb_RHSA-2012_1088-01_firefox.nasl
2012-07-19Name : RedHat Update for thunderbird RHSA-2012:1089-01
File : nvt/gb_RHSA-2012_1089-01_thunderbird.nasl
2012-06-22Name : Mandriva Update for python MDVSA-2012:096 (python)
File : nvt/gb_mandriva_MDVSA_2012_096.nasl
2012-06-22Name : Mandriva Update for python MDVSA-2012:097 (python)
File : nvt/gb_mandriva_MDVSA_2012_097.nasl
2012-06-22Name : Fedora Update for python3 FEDORA-2012-9135
File : nvt/gb_fedora_2012_9135_python3_fc16.nasl
2012-06-19Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-9541
File : nvt/gb_fedora_2012_9541_java-1.6.0-openjdk_fc15.nasl
2012-06-19Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-9545
File : nvt/gb_fedora_2012_9545_java-1.6.0-openjdk_fc16.nasl
2012-06-19Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-9593
File : nvt/gb_fedora_2012_9593_java-1.7.0-openjdk_fc16.nasl
2012-05-18Name : Mac OS X Multiple Vulnerabilities (2012-002)
File : nvt/gb_macosx_su12-002.nasl
2012-05-08Name : Fedora Update for python-docs FEDORA-2012-5924
File : nvt/gb_fedora_2012_5924_python-docs_fc16.nasl
2012-05-08Name : Fedora Update for python FEDORA-2012-5924
File : nvt/gb_fedora_2012_5924_python_fc16.nasl
2012-05-04Name : Fedora Update for python3 FEDORA-2012-5916
File : nvt/gb_fedora_2012_5916_python3_fc15.nasl
2012-04-30Name : Debian Security Advisory DSA 2398-2 (curl)
File : nvt/deb_2398_2.nasl
2012-04-06Name : Opera Extended Validation Information Disclosure Vulnerabilities (Linux)
File : nvt/gb_opera_extented_validation_info_disc_vuln_lin.nasl
2012-04-02Name : Fedora Update for firefox FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_firefox_fc16.nasl
2012-04-02Name : Fedora Update for nss-softokn FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_nss-softokn_fc16.nasl
2012-04-02Name : Fedora Update for nss-util FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_nss-util_fc16.nasl
2012-04-02Name : Fedora Update for thunderbird-lightning FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_thunderbird-lightning_fc16.nasl
2012-04-02Name : Fedora Update for thunderbird FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_thunderbird_fc16.nasl
2012-04-02Name : Fedora Update for xulrunner FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_xulrunner_fc16.nasl
2012-04-02Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-1690
File : nvt/gb_fedora_2012_1690_java-1.7.0-openjdk_fc16.nasl
2012-04-02Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-1711
File : nvt/gb_fedora_2012_1711_java-1.6.0-openjdk_fc16.nasl
2012-04-02Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-15020
File : nvt/gb_fedora_2011_15020_java-1.6.0-openjdk_fc16.nasl
2012-03-19Name : Fedora Update for nss FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_nss_fc16.nasl
2012-03-19Name : Fedora Update for java-1.7.0-openjdk FEDORA-2011-15555
File : nvt/gb_fedora_2011_15555_java-1.7.0-openjdk_fc16.nasl
2012-03-12Name : Gentoo Security Advisory GLSA 201203-02 (cURL)
File : nvt/glsa_201203_02.nasl
2012-03-09Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-1721
File : nvt/gb_fedora_2012_1721_java-1.6.0-openjdk_fc15.nasl
2012-02-12Name : Debian Security Advisory DSA 2398-1 (curl)
File : nvt/deb_2398_1.nasl
2012-02-12Name : Gentoo Security Advisory GLSA 201111-02 (sun-jre-bin sun-jdk emul-linux-x86-j...
File : nvt/glsa_201111_02.nasl
2012-02-11Name : Debian Security Advisory DSA 2356-1 (openjdk-6)
File : nvt/deb_2356_1.nasl
2012-02-11Name : Debian Security Advisory DSA 2358-1 (openjdk-6)
File : nvt/deb_2358_1.nasl
2012-02-11Name : Debian Security Advisory DSA 2368-1 (lighttpd)
File : nvt/deb_2368_1.nasl
2012-02-06Name : Mac OS X Multiple Vulnerabilities (2012-001)
File : nvt/gb_macosx_su12-001.nasl
2012-01-25Name : Ubuntu Update for openjdk-6 USN-1263-2
File : nvt/gb_ubuntu_USN_1263_2.nasl
2012-01-23Name : Fedora Update for nss FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nss_fc15.nasl
2012-01-23Name : Fedora Update for perl-Gtk2-MozEmbed FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_perl-Gtk2-MozEmbed_fc15.nasl
2012-01-23Name : Fedora Update for thunderbird-lightning FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_thunderbird-lightning_fc15.nasl
2012-01-23Name : Fedora Update for thunderbird FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_thunderbird_fc15.nasl
2012-01-23Name : Fedora Update for xulrunner FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_xulrunner_fc15.nasl
2012-01-23Name : Fedora Update for firefox FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_firefox_fc15.nasl
2012-01-23Name : Fedora Update for gnome-python2-extras FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_gnome-python2-extras_fc15.nasl
2012-01-23Name : Fedora Update for nspr FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nspr_fc15.nasl
2012-01-23Name : Fedora Update for nss-softokn FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nss-softokn_fc15.nasl
2012-01-23Name : Fedora Update for nss-util FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nss-util_fc15.nasl
2012-01-11Name : Microsoft Windows SSL/TLS Information Disclosure Vulnerability (2643584)
File : nvt/secpod_ms12-006.nasl
2011-11-18Name : Ubuntu Update for icedtea-web USN-1263-1
File : nvt/gb_ubuntu_USN_1263_1.nasl
2011-11-14Name : Mandriva Update for java-1.6.0-openjdk MDVSA-2011:170 (java-1.6.0-openjdk)
File : nvt/gb_mandriva_MDVSA_2011_170.nasl
2011-10-21Name : RedHat Update for java-1.6.0-openjdk RHSA-2011:1380-01
File : nvt/gb_RHSA-2011_1380-01_java-1.6.0-openjdk.nasl
2011-10-21Name : CentOS Update for java CESA-2011:1380 centos5 i386
File : nvt/gb_CESA-2011_1380_java_centos5_i386.nasl
2011-10-21Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-14638
File : nvt/gb_fedora_2011_14638_java-1.6.0-openjdk_fc14.nasl
2011-10-21Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-14648
File : nvt/gb_fedora_2011_14648_java-1.6.0-openjdk_fc15.nasl
2011-09-09Name : Opera Extended Validation Information Disclosure Vulnerabilities (Mac OS X)
File : nvt/gb_opera_extented_validation_info_disc_vuln_macosx.nasl
2011-09-09Name : Opera Extended Validation Information Disclosure Vulnerabilities (Windows)
File : nvt/gb_opera_extented_validation_info_disc_vuln_win.nasl
0000-00-00Name : Java for Mac OS X 10.6 Update 6 And 10.7 Update 1
File : nvt/secpod_macosx_java_10_6_upd_6_and_10_7_upd_1.nasl
0000-00-00Name : FreeBSD Ports: opera, linux-opera
File : nvt/freebsd_opera25.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
74829SSL Chained Initialization Vector CBC Mode MiTM Weakness

Information Assurance Vulnerability Management (IAVM)

DateDescription
2014-02-27IAVM : 2014-A-0030 - Apple Mac OS X Security Update 2014-001
Severity : Category I - VMSKEY : V0044547
2013-10-17IAVM : 2013-A-0199 - Multiple Vulnerabilities in Oracle Fusion Middleware
Severity : Category I - VMSKEY : V0040786
2012-03-29IAVM : 2012-A-0048 - Multiple Vulnerabilities in VMware vCenter Update Manager 5.0
Severity : Category I - VMSKEY : V0031901
2012-01-13IAVM : 2012-B-0006 - Microsoft SSL/TLS Information Disclosure Vulnerability
Severity : Category I - VMSKEY : V0031054

Snort® IPS/IDS

DateDescription
2014-01-10SSL CBC encryption mode weakness brute force attempt
RuleID : 20212 - Revision : 7 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

DateDescription
2014-02-25Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2014-001.nasl - Type : ACT_GATHER_INFO
2012-09-20Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2012-004.nasl - Type : ACT_GATHER_INFO