Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Browser Exploit Against SSL/TLS Information Disclosure Attacks

 
Threat Type:IntelliShield: Applied Mitigation Bulletin
IntelliShield ID:24211
Version:33
First Published:2011 September 27 19:27 GMT
Last Published:2014 April 07 11:43 GMT
Port: Not available
CVE:CVE-2011-3389
BugTraq ID:49778
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:EMC has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
 

Description
 
SSL version 3.0 and Transport Layer Security (TLS) version 1.0 protocols contain a vulnerability that could be used to decrypt encrypted SSL/TLS traffic and disclose sensitive information. The vulnerability is due to an implementation error in the protocol that uses the Cipher Block Chaining (CBC) mode and could allow decryption of ciphered information that is repeatedly transmitted in a predictable location of the encrypted data stream.

The vulnerability is exploitable on systems that use SSL/TLS-enabled web browsers using session cookies to maintain a secure web session. If a privileged attacker could bypass the Same Origin Policy (SOP) safety mechanism that is built into the browsers, the attacker could use the vulnerability to decrypt the existing session cookies and use that plaintext information to maintain unauthorized web sessions to affected websites.

Reports indicate that web browsers such as Google Chrome that use RC4 ciphers to encrypt the traffic remain unaffected by the vulnerability.

Apple has released security advisories at the following links: HT4999, HT5045, HT5130, HT5281, HT5416, HT6011, and HT6150. Apple has released updated software at the following links:

Apple iOS 5
Java for Mac OS X 10.6 Update 6
Java for OS X Lion Update 1
OS X Mavericks 10.9

Xcode 4.4

Mac OS X and Mac OS X Server 10.6.8
Security Update 2012-001 (Snow Leopard)
Security Update 2012-001 Server (Snow Leopard)

Mac OS X and Mac OS X Server 10.7.3
OS X Lion Update 10.7.3 (Client)
OS X Lion Update 10.7.3 (Server)

Mac OS X and Mac OS X Server 10.6.8
Security Update 2012-002 (Snow Leopard)
Security Update 2012-002 Server (Snow Leopard)

Mac OS X and Mac OS X Server 10.7.4
OS X Lion Update 10.7.4 (Client)
OS X Lion Update 10.7.4 (Server)

Mac OS X 10.8.5
Security Update 2014-001 (Mountain Lion)

Avaya has released a security advisory at the following link: ASA-2011-364. Avaya has released software updates for registered users at the following link: Communication Manager 6.0 and later

cURL has released a security advisory at the following link: 20120124B. cURL has released a patch at the following link: CVE-2011-3389

EMC has released a security advisory at the following link: ESA-2013-039. EMC has released software updates for registered users at the following links:
RSA BSAFE SSL-J version 5.1.4
RSA BSAFE SSL-J version 6.1.2

FreeBSD has released a VuXML document at the following link: opera -- multiple vulnerabilities. FreeBSD releases ports collection updates at the following link: Ports Collection Index

HP has released security bulletins c03122753, c03164351, c03266681, c03316985, and c03839862 at the following links: HPSBUX02730 SSRT100710, HPSBMU02742 SSRT100740, HPSBUX02760 SSRT100805, HPSBUX02777 SSRT100854, and HPSBMU02900. HP has released updated software at the following links:

HP-UX B.11.11
JDK and JRE version 6.0.13 or subsequent
JDK and JRE version 5.0.24 or subsequent
JDK and JRE version 1.4.2.28 or subsequent

HP-UX B.11.23
JDK and JRE version 6.0.13 or subsequent
JDK and JRE version 5.0.24 or subsequent
JDK and JRE version 1.4.2.28 or subsequent

HP-UX B.11.31
JDK and JRE version 6.0.13 or subsequent
JDK and JRE version 5.0.24 or subsequent
JDK and JRE version 1.4.2.28 or subsequent

System Management Homepage 7.2.1

HP users are advised to follow the mitigation steps mentioned in the vendor advisory.

IBM has released security alerts at the following links: swg21568229, swg21578730, and swg21598423. IBM users are advised to follow the mitigation steps mentioned in the vendor advisory.

IBM has released updated software at the following link: IBM Rational AppScan 8.6

IBM has released APARs at the following links: IV15418, IV13169, and PM58093. IBM has released fixes at the following links: IV15418, IV13169, and PM58093.

Microsoft has released a security advisory at the following link: 2588513. Microsoft has released a security bulletin at the following link: MS12-006. Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.

MontaVista Software has released a security alert for registered users on February 8, 2012, at the following link: MontaVista Security Fixes. MontaVista Software has released updated software at the following links:

Pro 4.0.1
Pro 5.0
CGE 4.0.1
CGE 5.1
Mobilinux 4.1
Mobilinux 5.0
CGE 6.0
MVL 6

Novell has released a security advisory and mitigation steps at the following link: 7009901

Oracle has released security notifications at the following links: CVE-2011-3389, Multiple vulnerabilities in Python, and Multiple vulnerabilities in fetchmail. Oracle has released patches for registered users at the following links:

GlassFish Enterprise Server 2.1.1
128640-29, 128643-29, and 128647-29 for SPARC
128641-29, 128644-29, and 128648-29 for Intel
128642-29, 128645-29, and 128649-29 for Linux
128646-29 and 128650-29 for Windows
137916-29 for IBM AIX

Sun Java System Application Server 8.1
119169-37 and 119173-37 for SPARC
119170-37 and 119174-37 for Intel
119171-37 and 119175-37 for Linux
119172-37 and 119176-37 for Windows

Sun Java System Application Server 8.2
124672-19, 124675-18 and 124679-18 for SPARC
124673-19, 124676-18 and 124680-18 for Intel
124674-19, 124677-18 and 124681-18 for Linux
124678-18 and 124682-18 for Windows

Oracle iPlanet Web Server 7.0
145843-05 for SPARC
145844-05 for Intel
145846-05 and 145845-05 for Linux
145847-05 for Windows
145848-05 for IBM AIX

Java System Web Server 6.1
145531-03 and 145532-03 for SPARC
145534-03 for Intel
145533-03 for Linux
145535-03 for Windows
145536-03 for AIX
SPARC
Solaris 10 with patch 143506-06 or later

Intel
Solaris 10 with patch 143507-06 or later

Solaris 11
11/11 SRU 12.4

Red Hat has released security advisories at the following links: RHSA-2012:0006, RHSA-2012-0034, and RHSA-2012:0343. Red Hat packages can be updated using the up2date or yum command.

US-CERT has released a vulnerability note at the following link: VU#864643
 
Alert History
 

Version 32, February 27, 2014, 9:15 AM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 31, October 24, 2013, 1:23 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 30, July 22, 2013, 2:48 PM: HP has released a security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 29, October 17, 2012, 7:50 PM: Oracle has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 28, September 27, 2012, 2:49 PM: Avaya has released a security advisory and software updates to address the browser exploit against SSL/TLS information disclosure attacks.

Version 27, August 8, 2012, 1:10 PM: Oracle has released an additional security advisory and patches to address the browser exploit against SSL/TLS information disclosure attacks.

Version 26, July 26, 2012, 10:53 AM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 25, June 15, 2012, 12:13 PM: IBM has released a security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 24, May 31, 2012, 12:23 PM: IBM has released an APAR and fixes to address the browser exploit against SSL/TLS information disclosure attacks.

Version 23, May 17, 2012, 5:34 PM: HP has released an additional security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 22, May 10, 2012, 12:44 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 21, May 8, 2012, 9:35 AM: HP has released an additional security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 20, March 29, 2012, 9:30 AM: IBM has released APARs and fixes to address the browser exploit against SSL/TLS information disclosure attacks.

Version 19, March 5, 2012, 11:10 AM: MontaVista has re-released a security alert and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 18, March 1, 2012, 11:35 AM: Red Hat has released an additional security advisory and updated packages to address the browser exploit against SSL/TLS information disclosure attacks.

Version 17, February 20, 2012, 11:06 AM: IBM has released an additional security alert to address the browser exploit against SSL/TLS information disclosure attacks.

Version 16, February 9, 2012, 11:16 AM: HP has released an additional security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 15, February 2, 2012, 12:14 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 14, January 30, 2012, 1:37 PM: MontaVista Software has released a security alert and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 13, January 27, 2012, 11:46 AM: Oracle has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 12, January 26, 2012, 2:30 PM: cURL has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 11, January 24, 2012, 1:41 PM: HP has released a security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 10, January 19, 2012, 4:33 PM: Red Hat has released an additional security advisory and updated packages to address the browser exploit against SSL/TLS information disclosure attacks.

Version 9, January 18, 2012, 11:44 AM: Oracle has released an additional security notification and patches to address the browser exploit against SSL/TLS information disclosure attacks.

Version 8, January 10, 2012, 1:50 PM: Microsoft and Red Hat have released security advisories and software updates to address the browser exploit against SSL/TLS information disclosure attacks.

Version 7, January 3, 2012, 12:53 PM: Oracle has released a security notification and patches to address the browser exploit against SSL/TLS information disclosure attacks.

Version 6, December 19, 2011, 4:13 PM: Novell has released a security advisory and patches to address the browser exploit against SSL/TLS information disclosure attacks.

Version 5, December 14, 2011, 11:44 AM: FreeBSD has released a VuXML document and updated ports collection to address the browser exploit against SSL/TLS information disclosure attacks.

Version 4, November 14, 2011, 10:01 AM: IBM has released a security alert to address the browser exploit against SSL/TLS information disclosure attacks.

Version 3, November 10, 2011, 9:47 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.

Version 2, October 15, 2011, 9:05 AM: Apple has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks. US-CERT has also released a vulnerability note to address this vulnerability.

Version 1, September 27, 2011, 2:27 PM: SSL and Transport Layer Security protocols contain a vulnerability that could be used to decrypt encrypted SSL/TLS traffic and disclose sensitive information.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base
RSA SecurityRSA BSAFE SSL-J 5.1.0 Base

Associated Products:
AppleMac OS X 10.7.1 Base | 10.7.2 Base | 10.7.3 Base | 10.7.4 Base | 10.7.5 Base | 10.8 Base | 10.8.1 Base | 10.8.2 Base | 10.8.3 Base | 10.8.4 Base | 10.8.5 Base
AppleXcode 4.0 Base | 4.1 Base | 4.2 Base | 4.3 Base
Avaya, Inc.Communication Manager 4.0 Base, .1, .3, .3 SP1 | 5.0 Base, SP1, SP2, SP3
HPSystem Management Homepage (SMH) 7.0 Base | 7.1 Base | 7.2 Base
Oracle CorporationSolaris Express 11 2010.11
RSA SecurityRSA BSAFE SSL-J 4.1 .5 | 5.1.1 Base | 5.1.2 Base | 5.1.3 Base | 6.1.0 Base | 6.1.1 Base
Sun Microsystems, Inc.Solaris 10 sparc, x64/x86




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield