Browser Exploit Against SSL/TLS Information Disclosure Attacks
Threat Type:
IntelliShield: Applied Mitigation Bulletin
IntelliShield ID:
24211
Version:
29
First Published:
2011 September 27 19:27 GMT
Last Published:
2012 October 17 19:50 GMT
Port:
Not Available
CVE:
CVE-2011-3389
BugTraq ID:
49778
Urgency:
Unlikely Use
Credibility:
Confirmed
Severity:
Mild Damage
Version Summary:
Oracle has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Description
SSL version 3.0 and Transport Layer Security (TLS) version 1.0 protocols contain a vulnerability that could be used to decrypt encrypted SSL/TLS traffic and disclose sensitive information.
The vulnerability is due to an implementation error in the protocol that uses the Cipher Block Chaining (CBC) mode and could allow decryption of ciphered information that is repeatedly transmitted in a predictable location of the encrypted data stream.
The vulnerability is exploitable on systems that use SSL/TLS-enabled web browsers using session cookies to maintain a secure web session. If a privileged attacker could bypass the Same Origin Policy (SOP) safety mechanism that is built into the browsers, the attacker could use the vulnerability to decrypt the existing session cookies and use that plaintext information to maintain unauthorized web sessions to affected websites.
Reports indicate that web browsers such as Google Chrome that use RC4 ciphers to encrypt the traffic remain unaffected by the vulnerability.
Apple has released security advisories at the following links:HT4999, HT5045, HT5130, HT5281, and HT5416. Apple has released updated software at the following links:
Avaya has released a security advisory at the following link: ASA-2011-364. Avaya has released software updates for registered users at the following link: Communication Manager 6.0 and later
cURL has released a security advisory at the following link: 20120124B. cURL has released a patch at the following link: CVE-2011-3389
HP users are advised to follow the mitigation steps mentioned in the vendor advisory.
IBM has released security alerts at the following links:swg21568229, swg21578730, and swg21598423. IBM users are advised to follow the mitigation steps mentioned in the vendor advisory.
Microsoft has released a security advisory at the following link: 2588513. Microsoft has released a security bulletin at the following link: MS12-006. Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
MontaVista Software has released a security alert for registered users on February 8, 2012, at the following link: MontaVista Security Fixes. MontaVista Software has released updated software at the following links:
Red Hat has released security advisories at the following links: RHSA-2012:0006, RHSA-2012-0034, and RHSA-2012:0343. Red Hat packages can be updated using the up2date or yum command.
US-CERT has released a vulnerability note at the following link: VU#864643
Alert History
Version 28, September 27, 2012, 2:49 PM: Avaya has released a security advisory and software updates to address the browser exploit against SSL/TLS information disclosure attacks.
Version 27, August 8, 2012, 1:10 PM: Oracle has released an additional security advisory and patches to address the browser exploit against SSL/TLS information disclosure attacks.
Version 26, July 26, 2012, 10:53 AM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 25, June 15, 2012, 12:13 PM: IBM has released a security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 24, May 31, 2012, 12:23 PM: IBM has released an APAR and fixes to address the browser exploit against SSL/TLS information disclosure attacks.
Version 23, May 17, 2012, 5:34 PM: HP has released an additional security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 22, May 10, 2012, 12:44 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 21, May 8, 2012, 9:35 AM: HP has released an additional security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 20, March 29, 2012, 9:30 AM: IBM has released APARs and fixes to address the browser exploit against SSL/TLS information disclosure attacks.
Version 19, March 5, 2012, 11:10 AM: MontaVista has re-released a security alert and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 18, March 1, 2012, 11:35 AM: Red Hat has released an additional security advisory and updated packages to address the browser exploit against SSL/TLS information disclosure attacks.
Version 17, February 20, 2012, 11:06 AM: IBM has released an additional security alert to address the browser exploit against SSL/TLS information disclosure attacks.
Version 16, February 9, 2012, 11:16 AM: HP has released an additional security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 15, February 2, 2012, 12:14 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 14, January 30, 2012, 1:37 PM: MontaVista Software has released a security alert and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 13, January 27, 2012, 11:46 AM: Oracle has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 12, January 26, 2012, 2:30 PM: cURL has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 11, January 24, 2012, 1:41 PM: HP has released a security bulletin and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 10, January 19, 2012, 4:33 PM: Red Hat has released an additional security advisory and updated packages to address the browser exploit against SSL/TLS information disclosure attacks.
Version 9, January 18, 2012, 11:44 AM: Oracle has released an additional security notification and patches to address the browser exploit against SSL/TLS information disclosure attacks.
Version 8, January 10, 2012, 1:50 PM: Microsoft and Red Hat have released security advisories and software updates to address the browser exploit against SSL/TLS information disclosure attacks.
Version 7, January 3, 2012, 12:53 PM: Oracle has released a security notification and patches to address the browser exploit against SSL/TLS information disclosure attacks.
Version 6, December 19, 2011, 4:13 PM: Novell has released a security advisory and patches to address the browser exploit against SSL/TLS information disclosure attacks.
Version 5, December 14, 2011, 11:44 AM: FreeBSD has released a VuXML document and updated ports collection to address the browser exploit against SSL/TLS information disclosure attacks.
Version 4, November 14, 2011, 10:01 AM: IBM has released a security alert to address the browser exploit against SSL/TLS information disclosure attacks.
Version 3, November 10, 2011, 9:47 PM: Apple has released an additional security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks.
Version 2, October 15, 2011, 9:05 AM: Apple has released a security advisory and updated software to address the browser exploit against SSL/TLS information disclosure attacks. US-CERT has also released a vulnerability note to address this vulnerability.
Version 1, September 27, 2011, 2:27 PM: SSL and Transport Layer Security protocols contain a vulnerability that could be used to decrypt encrypted SSL/TLS traffic and disclose sensitive information.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
