Microsoft Windows SSL/TLS Protocol Flaw Lets Remote Users Decryption Sessions
|
|
SecurityTracker Alert ID: 1026103 |
|
SecurityTracker URL: http://securitytracker.com/id/1026103
|
|
CVE Reference:
CVE-2011-3389
(Links to External Site)
|
Date: Sep 27 2011
|
Impact:
Disclosure of user information, Modification of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs
|
Description:
A vulnerability was reported in Windows SSL/TLS stack. A remote user can decrypt SSL/TLS sessions in certain cases.
A remote user with the ability to conduct a man-in-the-middle attack on an HTTPS connection can decrypt SSL/TLS sessions.
The vulnerability resides in the SSL 3.0 and TLS 1.0 specifications when using a Cipher-Block Chaining (CBC) based cryptographic algorithm.
The TLS 1.1 and 1.2 protocols are not affected.
Thai Duong and Juliano Rizzo reported this vulnerability.
|
Impact:
A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
|
Solution:
No solution was available at the time of this entry.
The vendor is working on a fix.
The vendor's advisory is available at:
http://technet.microsoft.com/en-us/security/advisory/2588513
|
Vendor URL: technet.microsoft.com/en-us/security/advisory/2588513 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Sep 2011 23:54:26 +0000
Subject: SSL / TLS
|
CVE-2011-3389
SSL 3.0 and TLS 1.0 CBC
|
|
