Aapache/mod_ssl vulnerability and mitigation

2009.11.11
Credit: Apache team
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-310


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation Apache httpd is affected by CVE-2009-3555<A NAME="-1"></A>[1] (The SSL Injection or MiM attack<A NAME="-2"></A>[2]). The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol. We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available<A NAME="-3"></A>[3]. Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or TLS protocols<A NAME="-4"></A>[4]. For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging - we recommend that you roll out this patch<A NAME="-5"></A>[5]: http://www.apache.org/dist/httpd/patches/ apply_to_2.2.14 CVE-2009-3555-2.2.patch sha1: 28cd58f3758f1add39417333825b9d854f4f5f43 as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation. If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates then we recommend that you 1) ensure that you limit your configuration to a single 'SSLClient require' on VirtualHost/Sever level and 2) remove all other (re)negotiation/require directives. However this does NOT fully protect you - it just curtails authentication in this specific setting. 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8 3: http://www.openssl.org/source/ openssl-announce mailing list on http://www.openssl.org/support/community.html 4: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html 5: svn diff -r833581:833594 https://svn.apache.org/repos/asf/ httpd/httpd/trunk/modules/ssl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQCVAwUBSvTOITGmPZbsFAuBAQKpXgQAgoBq0FjmnFwxBYjZQ05cPgHYzE+rBQHg f142MZWXreBoZyB1pV2CJpmf7BWtmBKQgKIMwk3fWfRs33rvnjhEWjrMBFA4ID8J 0CBLmiwBVxLfCTj7YIBJ71VPn4Mw3iviiIUb1qrW0RaOjGgf4j2ffsapnlpR6lR9 JHDVPFBXl8s= =OYuY -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/bid/36935
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
https://bugzilla.redhat.com/show_bug.cgi?id=533125
https://bugzilla.mozilla.org/show_bug.cgi?id=526689
http://xforce.iss.net/xforce/xfdb/54158
http://www.vupen.com/english/advisories/2009/3165
http://www.vupen.com/english/advisories/2009/3164
http://www.tombom.co.uk/blog/?p=85
http://www.openwall.com/lists/oss-security/2009/11/07/3
http://www.openwall.com/lists/oss-security/2009/11/06/3
http://www.openwall.com/lists/oss-security/2009/11/05/5
http://www.openwall.com/lists/oss-security/2009/11/05/3
http://www.links.org/?p=780
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://www.betanews.com/article/1257452450
http://secunia.com/advisories/37292
http://secunia.com/advisories/37291
http://marc.info/?l=cryptography&m=125752275331877&w=2
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html
http://kbase.redhat.com/faq/docs/DOC-20491
http://extendedsubset.com/Renegotiating_TLS.pdf
http://extendedsubset.com/?p=8
http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top