12690 - TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

12690 - TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness

CVE: CVE-2011-3389 - A vulnerability is present in some versions of the TLS

shishir

5:47 am on Mar 7, 2012 (gmt 0)

Hi,

Can anybody help me finding the solution of the below issue?

12690 - TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness
Category: General Vulnerability Assessment -> NonIntrusive -> Miscellaneous
Risk Level: High
CVE: CVE-2011-3389
Microsoft ID: KB2588513
Description
A vulnerability is present in some versions of the TLS and SSL Protocols.
Observation
TLS/SSL is a network communication protocol used for secure connections.
A vulnerability is present in some versions of the TLS and SSL Protocols. Research presented at the 2011 ekoparty Security
Conference illustrates an evolved blockwise chosen-plaintext attack against TLS 1.0 and SSL 3.0. Under specific conditions an
attacker (MITM) can gain the ability to decrypt HTTPS-specifc HTTP cookie requests. Demonstrations have shown simulated
attacks based on javascript and other common, browser-friendly, methods.

I am currently on Apache version to 2.2.21 and OpenSSL to 1.0.0e.

Thanks,
Shishir

phranque

8:58 am on Mar 7, 2012 (gmt 0)

download and install all updates from the Microsoft Update website:
http://update.microsoft.com/microsoftupdate/ [update.microsoft.com]

shishir

10:05 am on Mar 7, 2012 (gmt 0)

Hi,

Thanks for the reply.
I was looking for any fix in openssl for id CVE: CVE-2011-3389.
But it seems OpenSSL has not released TLS1.1 or later.
Please confirm.
Is there any other way to apply any openssl/tls/apache patch or fix?

Thanks.

phranque

10:23 am on Mar 7, 2012 (gmt 0)

attacks based on javascript and other common, browser-friendly, methods

this is a client side problem - not apache.

here's more...
National Vulnerability Database (NVD) (CVE-2011-3389):
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 [web.nvd.nist.gov]

shishir

6:23 am on Mar 8, 2012 (gmt 0)

Hi,

I do agree with you.
From the link below,

[web.nvd.nist.gov...]

The issue is mentioned for various clients/browsers and only for Microsoft Windows and not for Unix and its flavors.

Also, on the same link, following is the information we can see,

Vulnerable software and versions
Configuration 1
OR
* cpe:/o:microsoft:windows
* cpe:/a:microsoft:ie
* cpe:/a:mozilla:firefox
* cpe:/a:google:chrome
* cpe:/a:opera:opera_browser

What are the chances,if we can use IE with TLS1.1 enabled and unix as OS to solve this issue?

suggestions?

[edited by: engine at 9:58 am (utc) on Mar 8, 2012]

phranque

9:02 am on Mar 8, 2012 (gmt 0)

microsoft support for TLS 1.1 starts with Windows 7 so any secure requests made from browsers on XP, for example will degrade to TLS 1.0.

Is SSL broken? � More about Security Advisory 2588513:
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx [blogs.technet.com]

shishir

9:17 am on Mar 8, 2012 (gmt 0)

Hi,

Agreed, so a combination of (OpenSSL 1.0.0e integrated with Apache) and any of the current browser, always have this issue. It can be sorted out only when the OpenSSL comes with the TLS1.1 enablement and browser also supports TLS1.1 at the same time. Say in IE, it can be achieved but OpenSSL doesn't have it currently.
Correct?

phranque

11:04 am on Mar 8, 2012 (gmt 0)

so far i have provided 3 links that will answer all your questions - have you read all of them?

the problem occurs with javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API.
if your browser is HTML5-compliant or you have a Java plugin and/or a Silverlight plugin, make sure everything is updated.

openssl already supports TSL1.1 but it won't help if the requesting (pre-Windows 7) OS has no TSL1.1 upgrade path.