HOME
| UTORprotect |
DOCUMENTATION
|
AMS/ROSI
|
SERVICES
|
CONTACT
UTORprotect
Endpoint Security Policy System
Firewalls
Malicious Code
Network Security Policy
Open-Source Firewall
Password Usage Guidelines
Phishing 
Security Incident Reporting
Spam
Spyware 
Symantec Anti-Virus
Windows Security Maintenance
Windows Incident Response
Windows Security

SSL/TLS Renegotiate Vulnerability

Date Issued: Nov. 9/09

Recently a major vulnerability was discovered in the ubiquitous Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols that are used to provide privacy and verification to numerous Internet services including web, email and VPN. The TLS and SSL protocol defines a behaviour where secure sessions can be renegotiated - useful for example to upgrade authentication strength.

An attacker may exploit the vulnerability in a pseudo man-in the-middle attack as described in the references below. The attacker will not be able to view existing session traffic but can cause the server to execute commands inserted during the renegotiation.

Workaround

The suggested workaround is to remove the ability for renegotation to take place in an SSL/TLS server. OpenSSL, a major provider of SSL/TLS services, has released an update for this. If it is found in a particular application that this feature is required, it can be re-enabled by a command-line switch. The new version is OpenSSL 0.9.8l available at:

http://www.openssl.org/source/

Using this workaround, client software does not need to be patched or replaced. This affects servers only. All servers that use SSL v3 and TLS v1 are affected. Software that is SSL/TLS compliant may also be vulnerable.

Recommendation

Test the new OpenSSL version in a web QA environment before considering deployment in a production environment. Monitor this and other security information sites for updated information.

More Information

http://isc.sans.org/diary.html?date=2009-11-06

http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

©2011 - University of Toronto Information + Technology Services. All Rights Reserved.