Secure Sockets Layer (SSL) version 2 (v2) has been found to contain several weaknesses. Depending on the time and resources of an attacker, any communication protected by SSLv2 may be vulnerable to Man-in-The-Middle (MiTM) attacks that could allow data tampering or disclosure. SSLv2 flaws in summary: - SSL encrypted web requests traffic analysis can disclose which pages were downloaded, length of data downloaded, what web servers were accessed and more. This requires sniffing or physical access and is considered a passive attack. - Bellovin cut-and-paste attack. This requires sniffing and MiTM manipulation and is considered an active attack. - Bellovin short-block attack. This requires sniffing and MiTM manipulation and is considered an active attack. - Insecure MAC use post-encryption. This is considered a design flaw weakness. - Horton Principle failure. This requires sniffing and MiTM manipulation and is considered an active attack. - Ciphersuite rollback attack. This requires sniffing and MiTM manipulation. - Diffie-hellman Key-exchange MiTM attack. - 40-bit MAC use. This is considered a design flaw weakness.

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: use SSLv3, TLSv1 or a more secure protocol.

Unknown or Incomplete

• Generic Informational URL: http://en.wikipedia.org/wiki/Transport_Layer_Security
• Other Advisory URL: http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm
  http://www.schneier.com/paper-ssl.pdf
  http://www.yaksman.org/~lweith/ssl.pdf
• Vendor Specific Advisory URL: http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2010-08-896&viewMode=view [ Auth Req'd ]

Unknown or Incomplete

NVD does not currently have a CVSSv2 score assigned.