VU#864643

Executive Summary

Summary
Title	SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes

Informations
Name	VU#864643	First vendor Publication	2011-09-27
Vendor	VU-CERT	Last vendor Modification	2011-12-08
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#864643

SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes

Overview

A vulnerability in the specification of the SSL 3.0 and TLS 1.0 protocols could allow an attacker to decrypt encrypted traffic.

I. Description

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network application protocols such as HTTP, IMAP, POP3, LDAP, SMTP, and others. Several different versions of the SSL and TLS protocols have been standardized and are in widespread use. These protocols support the use of both block-based and stream-based ciphers.

A vulnerability in the way the SSL 3.0 and TLS 1.0 protocols select the initialization vector (IV) when operating in cipher-block chaining (CBC) modes allows an attacker to perform a chosen-plaintext attack on encrypted traffic. This vulnerability has been addressed in the specification for the TLS 1.1 and TLS 1.2 protocols.

While this vulnerability exists in the underlying specification of the affected protocols, a practical attack called BEAST has been demonstrated in the context of a web browser and the use of the HTTPS protocol. Because of the software functionality available to an attacker in this environment, it represents the most likely attack vector and the most significant risk for affected users. An effective BEAST attack appears to require a cross-domain vulnerability that allows the attacker to issue specially crafted HTTPS requests. A blog post by Th�i Duong discusses "...a way to bypass the same-origin policy (SOP)..." using a Java applet.

II. Impact

An attacker with the ability to pose as a man-in-the-middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS-encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).

III. Solution

We are currently unaware of a practical solution to this problem.

Workarounds

Some vendors have published specific mitigation advice for the attacks related to this issues. Please see the Vendor Information section of this document for more information.

The following general workarounds can be effective in mitigating this issue:

Prioritize the use of the RC4 algorithm over block ciphers in server software

Note that this workaround is not feasible to implement on systems that require FIPS-140 compliance since RC4 is not a FIPS-approved cryptographic algorithm.
Enable support for TLS 1.1 and/or TLS 1.2 in the web browser
Enable support for TLS 1.1 in server software

Note that both the web servers and the client web browser must support TLS 1.1 or TLS 1.2 for these workarounds to be effective. The session will fallback to an earlier version of the TLS or SSL protocol in the event that either is incompatible with TLS 1.1 or TLS 1.2.

Vendor Information

Vendor	Status	Date Updated
Apple Inc.	Unknown	2011-09-27
GnuTLS	Unknown	2011-09-27
Google	Affected	2011-09-27
Microsoft Corporation	Affected	2011-09-27
Mozilla	Affected	2011-09-28
OpenSSL	Unknown	2011-09-27
Opera	Affected	2011-12-08

References

http://www.openssl.org/~bodo/tls-cbc.txt
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
http//www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vu...
http://vnhacker.blogspot.com/2011/09/beast.html
https://blog.torproject.org/blog/tor-and-beast-ssl-attack
http//blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-securit...
http//blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-se...
http://src.chromium.org/viewvc/chrome?view=rev&revision=97269
https://bugzilla.mozilla.org/show_bug.cgi?id=665814
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://www.ekoparty.org/2011/juliano-rizzo.php

Credit

Thanks to Th�i Duong working with Matasano and Juliano Rizzo of Netifera for reporting the practical attack against this vulnerability. Wei Dai and Bodo M�ller identified the underlying flaw in the context of SSL and TLS.

This document was written by Chad R Dougherty.

Other Information

Date Public:	2002-02-08
Date First Published:	2011-09-27
Date Last Updated:	2011-12-08
CERT Advisory:
CVE-ID(s):	CVE-2011-3389
NVD-ID(s):	CVE-2011-3389
US-CERT Technical Alerts:
Severity Metric:	3.37
Document Revision:	36

Original Source

Url : http://www.kb.cert.org/vuls/id/864643

CWE : Common Weakness Enumeration

id	Name
CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14752

Oval ID:	oval:org.mitre.oval:def:14752
Title:	SSL and TLS Protocols Vulnerability
Description:	The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3389	Version:	7
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows 7	Product(s):
Definition Synopsis:
Vulnerable Microsoft Windows XP SP3 x86 Microsoft Windows XP (x86) SP3 is installed AND the version of schannel.dll is less than 5.1.2600.6175 OR Vulnerable Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND the version of schannel.dll is less than 5.2.3790.4935 OR Vulnerable Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed AND Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.0.6002.18541 OR LDR the version of schannel.dll is greater than or equal to 6.0.6002.22000 AND the version of schannel.dll is less than 6.0.6002.22742 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7600.16915 OR LDR the version of schannel.dll is greater than or equal to 6.1.7600.20000 AND the version of schannel.dll is less than 6.1.7600.21092 OR Vulnerable Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64/ia64 SP1 Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64/ia64 SP1 Microsoft Windows 7 (32-bit) Service Pack 1 is installed AND Microsoft Windows 7 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7601.17725 OR LDR the version of schannel.dll is greater than or equal to 6.1.7601.21000 AND the version of schannel.dll is less than 6.1.7601.21861

CPE : Common Platform Enumeration

Type	Description	Count
Application	Google Chrome cpe:/a:google:chrome	1
Application	Microsoft Ie cpe:/a:microsoft:ie	1
Application	Mozilla Firefox cpe:/a:mozilla:firefox	1
Application	Opera Opera Browser cpe:/a:opera:opera_browser	1
Os	Microsoft Windows cpe:/o:microsoft:windows	1

Open Source Vulnerability Database (OSVDB)

id	Description
74829	SSL Chained Initialization Vector CBC Mode MiTM Weakness

Type	Count
Oval ID(s)	1
CPE ID(s)	5
osvdb(s)	1

Related	Severity
HPSBMU02742 SSR...	(Medium)
CVE-2011-3389	(Medium)

Same Subject	Severity
Login to view 32 more Alert(s)