Solved

Urgent SSL / TLS vulnerabilities

Posted on 2013-11-01
5
4,134 Views
Last Modified: 2013-11-11
Q1:
How do I verify if our Windows 2000/2003/2008/2008 R2 are
affected by the 2 vulnerabilities listed below?  The 2 vulnerabilities
notes below just say "Contact the related vendor" which I guess in
our case is Microsoft but we don't have MS support party to contact.


Q2:
Where to obtain the required patches/fixes for the 2 vulnerabilities below
(if we're running MS Win2000/2003/2008/2008R2 & IIS with https) ?
Pls provide exact URL.

Q3:
What's the impact on our existing SSL if we apply the recommended patches?

Q4:
How do I verify that our servers are using TLSv1 / SSLv3 ?

Q5:
What does CVSS & CVE stands for?  What does the CVSS score tells us?

Item 1
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several
times more work. Since the remote host does not appear to limit the number of
renegotiations for a single TLS / SSL connection, this permits a client to open several
simultaneous connections and repeatedly renegotiate them, possibly leading to a
denial of service condition.

See Also
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html

Solution
Contact the vendor for specific patch information.

Risk Factor
Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

References
---------------
BID 48626
CVE CVE-2011-1473

XREF OSVDB:73894 Plugin Information:

Publication date: 2011/05/04, Modification date: 2012/11/15

  The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3.

Ports
 tcp/80  ,  443/tcp
 
53491 - SSL / TLS Renegotiation DoS

=================================================================

Item 2
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
 
Synopsis

24
The remote service allows insecure renegotiation of TLS / SSL connections.

Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake. An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.

See Also

http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746

Solution
Contact the vendor for specific patch information.

Risk Factor
Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

2.1 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)

References

BID 36935
CVE CVE-2009-3555 XREF OSVDB:59968 XREF OSVDB:59969 XREF OSVDB:59970 XREF OSVDB:59971 XREF OSVDB:59972 XREF OSVDB:59973 XREF OSVDB:
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 

Author Comment

by:sunhux
ID: 39616276
Besides IIS, the other apps that we run are:
a) ASP.Net  & .Net Framework
b) MS HL7
c) Biztalk
d) MS SQL2000, SQL2008, SQL2005
e) MS Windows print services
f)  Sharepoint

Let me know if the above apps are affected by the
2 vulnerabilities as well. Thanks
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 39618062
There are registry changes that can be made that will restrict which encryption options are available
http://support.microsoft.com/kb/245030

There will be no effect on your existing SSL. The issue deals with fewer options offered and accepted by your system to Visitors.
Most current browsers support all the possible options.
0
 
LVL 64

Accepted Solution

by:
btan earned 300 total points
ID: 39618502
Quick one - CVE (common vulnerability enumeration) states an id for the vulnerability announced publicly and CVSS states the severity of this threat based on the various factor such as confidentiality/Integrity/Availability, and other environmental/time based.

They are very well recognised standard to categorise vulnerability and most vulnerability scanner used that to reflect in the scan report..

Specific to the revealed CVEs (in your case) are below the cvedetail links also stated which are the affected version. As a whole it is pertaining to SSL/TLS renegotiation vulnerability which is found in OpenSSL library and Windows SSL/TLS stack used.

As a whole it is due to the SSL and TLS Authentication Gap vulnerability

More info - http://blog.ivanristic.com/2009/11/ssl-and-tls-authentication-gap-vulnerability-discovered.html

A serious vulnerability has been discovered in the way web servers utilise SSL (and TLS, up to the most recent version, 1.2), effectively allowing an active man-in-the-middle attacker to inject arbitrary content into an encrypted data stream. Both the Apache web server and the IIS have been found to be vulnerable.

The problem is with the renegotiation feature, which allows one part of an encrypted connection (the one taking place before renegotiation) to be controlled by one party with the other part (the one taking place after renegotiation) to be controlled by another.


It is not totally resolved hence it is recommended to disabled it and the issue can be pertaining to the protocol need to better enhance and patch cannot suffice.

a) CVE-2011-1473 which is OpenSSL vulnerability
http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2011-1473

b) CVE-2009-3555 which is SSL/TLS renegotiation vulnerability
http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2009-3555
> Microsoft release security bulletin which you can drill into  Vulnerability Information (based on the CVE) and the affected version. The Microsoft Baseline Security Analyzer should be able to check if this bulletin is installed in the machine

@ http://technet.microsoft.com/en-us/security/bulletin/MS10-049
0
 
LVL 64

Assisted Solution

by:btan
btan earned 300 total points
ID: 39618507
Another MS blog that tabled the version of SSL/TLS available in the various OS. Noted that SSL/TLS has a couple of vulnerability.

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/10218922.aspx
http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39640811
The easiest tool is IIS Crypto, verify with Qualys SSL Server Test or SSLScan.

sslscan --no-failed example.com

Open in new window


See attached SSL/TLS Deployment Best Practices.
SSL-TLS-Deployment-Best-Practice.pdf
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question