SSL/TLS Protocol Vulnerability
Last Update Date:
3 Oct 2011
Release Date:
30 Sep 2011
7019
Views
RISK: Medium Risk
TYPE: Attacks - Other
A vulnerability has idenitied in SSL/TLS using Cypher Block Chaining (CBC), which can be exploited by malicious people to conduct Man-in-the-middle attack to decrypt encrypted SSL/TLS traffic and obtain sensitive information.
A proof of concept attack had released.
Impact
- Information Disclosure
System / Technologies affected
- Any Internet software and network devices using the cipher suites of SSL v3.0/TLS v1.0 with CBC mode.
Solutions
- For General user
- Use web browsers which do not affected by this vulnerability, e.g. Firefox, Google Chrome v14 or above, Opera v11.51 or above
- Enable support for TLS v1.1 and/or TLS v1.2 in the web browsers
- For IT Administrator
- Disable those ciphers utilise Cypher Block Chaining (CBC)
- Enable support for TLS v1.1 in server software/network device
- Prioritize the use of the RC4 algorithm over block ciphers in server software
Remark: Please test the setting before apply it.
Vulnerability Identifier
Source
Related Link
- http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
- http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
- http://secunia.com/advisories/45791/
- http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
- http://technet.microsoft.com/en-us/security/advisory/2588513
- http://www.kb.cert.org/vuls/id/864643
Share with