OSVDB ID: 59969

Title: Apache HTTP Server mod_ssl SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Info

Disclosure

Nov 05, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Classification

Location: Remote / Network Access
Attack Type: Cryptographic, Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Disclosure: Vendor Verified

Solution

Products

Unknown or Incomplete

References

CVE ID: 2009-3555 (see also: NVD)
Secunia Advisory ID: 37331 37352 37382 37383 37399 37430 37486 37512 37545 37619 37653 37668 37669 37800 37859 37861 37968 38069 38241 38483 38813 39207 39210 39216 39294 39317 39632 39781 39956 39967 41542 42816 43091 49035 49966 51766
Related OSVDB ID: 59968 59970
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0063.html
http://seclists.org/bugtraq/2012/Apr/114
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
Other Advisory URL: http://blog.ivanristic.com/2009/11/ssl-and-tls-authentication-gap-vulnerability-discovered.html
http://extendedsubset.com/?p=8
http://extendedsubset.com/Renegotiating_TLS.pdf
http://threatcenter.smobilesystems.com/?page_id=1331
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600523
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://www.ubuntu.com/usn/USN-860-1
Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01963123
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
http://lists.debian.org/debian-security-announce/2009/msg00257.html
http://lists.debian.org/debian-security-announce/2011/msg00003.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034817.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035949.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041887.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00008.html
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446
http://www-01.ibm.com/support/docview.wss?uid=swg1PK96157
http://www-01.ibm.com/support/docview.wss?uid=swg1PM02614
http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658
http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
https://bugzilla.redhat.com/show_bug.cgi?id=533125
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01360.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01418.html
Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03405642
http://support.apple.com/kb/HT4004
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0154
http://www.gentoo.org/security/en/glsa/glsa-200912-01.xml
http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-11-767
http://www.ubuntu.com/usn/usn-990-2
Packet Storm: http://packetstormsecurity.org/files/111920/HP-Security-Bulletin-HPSBOV02762-SSRT100825.html
News Article: http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_in_SSL_security_protocol
http://www.pcworld.com/article/182720/security_pro_says_new_ssl_attack_can_hit_many_sites.html
Generic Exploit URL: http://www.leviathansecurity.com/pdf/ssltlstest.zip
RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2009-1579.html
https://rhn.redhat.com/errata/RHSA-2009-1580.html
https://rhn.redhat.com/errata/RHSA-2010-0011.html
https://rhn.redhat.com/errata/RHSA-2010-0337.html
https://rhn.redhat.com/errata/RHSA-2010-0338.html
https://rhn.redhat.com/errata/RHSA-2010-0339.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/59969