SSL and TLS protocols renegotiation vulnerability
Original Issue Date: December 09, 2009
Severity Rating: High
- Multiple implementations of SSL and TLS protocols
A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTPS transaction.
TLS Transport Layer Security and SSL Secure Sockets Layer are most widely recognized as the protocols that provide secure HTTP HTTPS for Internet transactions between Web browsers and Web servers. TLS/SSL can also be used for other application level protocols, such as File Transfer Protocol FTP , Lightweight Directory Access Protocol LDAP , and Simple Mail Transfer Protocol SMTP . TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over networks such as the World Wide Web.
A vulnerability has been identified in the current SSL Version 3 and TLS Version 1 protocols while handling TLS handshake re-negotiations. An attacker could exploit this vulnerability via man-in-the-middle techniques and injecting data into the beginning of the application protocol stream. This could lead to fragmentation of SSL transactions, giving attackers the opportunity to inject false commands or to execute HTTP transactions such as password resets into communications which are otherwise encrypted. This attack can bypass authentication and possibly launch further attacks against the victim.
Apply appropriate patches or fixes released by respective vendors at server and client level.
- Implement anti-CSRF Cross Site Request Forgery features in web applications.
- Use an IPS/IDS/Application firewall to catch recurrent HTTP request that are enclosed within each other.
ISS X FORCE
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003