sunhux
asked on
Urgent SSL / TLS vulnerabilities
Q1:
How do I verify if our Windows 2000/2003/2008/2008 R2 are
affected by the 2 vulnerabilities listed below? The 2 vulnerabilities
notes below just say "Contact the related vendor" which I guess in
our case is Microsoft but we don't have MS support party to contact.
Q2:
Where to obtain the required patches/fixes for the 2 vulnerabilities below
(if we're running MS Win2000/2003/2008/2008R2 & IIS with https) ?
Pls provide exact URL.
Q3:
What's the impact on our existing SSL if we apply the recommended patches?
Q4:
How do I verify that our servers are using TLSv1 / SSLv3 ?
Q5:
What does CVSS & CVE stands for? What does the CVSS score tells us?
Item 1
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several
times more work. Since the remote host does not appear to limit the number of
renegotiations for a single TLS / SSL connection, this permits a client to open several
simultaneous connections and repeatedly renegotiate them, possibly leading to a
denial of service condition.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:N/
References
---------------
BID 48626
CVE CVE-2011-1473
XREF OSVDB:73894 Plugin Information:
Publication date: 2011/05/04, Modification date: 2012/11/15
The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3.
Ports
tcp/80 , 443/tcp
53491 - SSL / TLS Renegotiation DoS
==========================
Item 2
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Synopsis
24
The remote service allows insecure renegotiation of TLS / SSL connections.
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake. An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/
CVSS Temporal Score
2.1 (CVSS2#AV:N/AC:H/Au:N/C:N/
References
BID 36935
CVE CVE-2009-3555 XREF OSVDB:59968 XREF OSVDB:59969 XREF OSVDB:59970 XREF OSVDB:59971 XREF OSVDB:59972 XREF OSVDB:59973 XREF OSVDB:
How do I verify if our Windows 2000/2003/2008/2008 R2 are
affected by the 2 vulnerabilities listed below? The 2 vulnerabilities
notes below just say "Contact the related vendor" which I guess in
our case is Microsoft but we don't have MS support party to contact.
Q2:
Where to obtain the required patches/fixes for the 2 vulnerabilities below
(if we're running MS Win2000/2003/2008/2008R2 & IIS with https) ?
Pls provide exact URL.
Q3:
What's the impact on our existing SSL if we apply the recommended patches?
Q4:
How do I verify that our servers are using TLSv1 / SSLv3 ?
Q5:
What does CVSS & CVE stands for? What does the CVSS score tells us?
Item 1
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several
times more work. Since the remote host does not appear to limit the number of
renegotiations for a single TLS / SSL connection, this permits a client to open several
simultaneous connections and repeatedly renegotiate them, possibly leading to a
denial of service condition.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:N/
References
---------------
BID 48626
CVE CVE-2011-1473
XREF OSVDB:73894 Plugin Information:
Publication date: 2011/05/04, Modification date: 2012/11/15
The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3.
Ports
tcp/80 , 443/tcp
53491 - SSL / TLS Renegotiation DoS
==========================
Item 2
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Synopsis
24
The remote service allows insecure renegotiation of TLS / SSL connections.
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake. An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/
CVSS Temporal Score
2.1 (CVSS2#AV:N/AC:H/Au:N/C:N/
References
BID 36935
CVE CVE-2009-3555 XREF OSVDB:59968 XREF OSVDB:59969 XREF OSVDB:59970 XREF OSVDB:59971 XREF OSVDB:59972 XREF OSVDB:59973 XREF OSVDB:
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The easiest tool is IIS Crypto, verify with Qualys SSL Server Test or SSLScan.
See attached SSL/TLS Deployment Best Practices.
SSL-TLS-Deployment-Best-Practice.pdf
sslscan --no-failed example.comSee attached SSL/TLS Deployment Best Practices.
SSL-TLS-Deployment-Best-Practice.pdf
ASKER
a) ASP.Net & .Net Framework
b) MS HL7
c) Biztalk
d) MS SQL2000, SQL2008, SQL2005
e) MS Windows print services
f) Sharepoint
Let me know if the above apps are affected by the
2 vulnerabilities as well. Thanks