WANTED, Alive:
Servicegerichte Security Engineer met hoofdletter S

Ernstig beveiligingslek gevonden in het TLS/SSL protocol

Aangezien dat het TLS/SSL protocol door elke encryptie oplossing gebruikt wordt heeft elke producent hier mogelijk last van. Onder deze tekst staan enkele links naar producenten, deze lijst is zeker niet compleet. Onderstaande tekst is overgenomen van de Juniper website:

A Multiple Vendor TLS/SSL Protocol Session Renegotiation Security Vulnerability has been found.

Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks at the Transport Layer. Multiple vendors' TLS protocol implementations are prone to a security vulnerability that allows for man-in-the-middle attacks. Note that this issue does not allow attackers to decrypt encrypted data.

Specifically, the issue occurs because of the way applications handle the session-renegotiation process. Attackers may inject arbitrary plaintext into the beginning of the application protocol stream. The attack has been confirmed to work with HTTP as the application protocol, but is believed to also be possible with other protocols that are layered on TLS.

In case of the HTTP protocol used with the vulnerable TLS implementation, this attack is carried out by intercepting 'Client Hello' requests and then forcing session renegotiation. An unauthorized attacker can then cause the webserver to process arbitrary requests that would otherwise require a valid client-side certificate for authorization. Note that the attacker will not be able to gain direct access to the server response.

UPDATE (November 30, 2009): Attack scenarios have been described targeting SMTP layered on SSL/TLS and FTPS (FTP extended to support SSL/TLS).

For more information:
http://www.juniper.net/security/auto/vulnerabilities/vuln36935.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml
http://www.securityfocus.com/bid/36935/info
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk43144&js_peid=P-114a7bc3b09-10006&partition=Public&product=SmartCenter
https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html
http://techworld.nl/technologie/15364/ssl-lek-wordt-na-half-jaar-gedicht.html

Terug naar het nieuwsoverzicht »