Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2009-3555

Published: 9 November 2009

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Notes

AuthorNote
jdstrand
Fixing this issue requires coordination between the IETF, SSL
libraries (eg OpenSSL and GnuTLS) and TLS consumers (notably HTTPS servers,
but most (or all) servers using TLS which support TLS renegotiation).
Protocol-breaking changes are among the possibilities being
discussed.
The following is based on http://extendedsubset.com/Renegotiating_TLS.pdf
and http://extendedsubset.com/Renegotiating_TLS_pd.pdf. You are encouraged to
read this document as well as the email thread on ietf-tls for complete
information and most up-to-date status (see References).
There are essentially 3 types of renegotiation scenarios known at this time
to be vulnerable, and they all require a man-in-the-middle (MITM) attack:
1. Client certificate authentication: servers configured to require client
certificate authentication on a per-directory basis. Apache is known
to be vulnerable when using this configuration. There is no generally
usable mitigation strategy known at this time.
2. Differing server cryptographic requirements: servers configured to
support different cipher suites within the same site. One mitigation
strategy is to require all content on a site to use a single cipher
suite. Disallowing specification of TLS parameters in .htaccess files
(generally modifiable by end users) may also be a good idea.
3. Client-initiated renegotiation: servers configured for TLS. Apache is
known to be vulnerable when using using TLS and the client initiates a
renegotiation. There is no generally usable mitigation strategy known at
this time.
The flaw should not allow the attacker to see the contents of the connection,
and a client cannot be redirected to another site. For the HTTPS scenarios
listed above, the attacker is able to perform arbitrary requests with the
credentials of the victim. Arbitrary POST requests may also be possible.
Analysis on the effects of this flaw for other protocols is ongoing.
Until a general fix can be found for Ubuntu, users may be interested in
reading http://www.links.org/?p=780, which has a patch to OpenSSL to disable
all renegotiation.
Update for apache2 disabled client initiated renegotiations. This
won't fix per-Directory/Location configurations.
mdeslaur
openssl 0.9.8l disabled renegotiations completely, with a compile
time option to turn it back on. This may break connections to servers that
haven't been patched. openssl 0.9.8m adds an option that applications can
use to turn it back on:
http://groups.google.com/group/mailing.openssl.cvs/browse_thread/thread/8d8add96fa471695
Turning renegotiation off completely may break postgresql, openvpn
alpine, psi, fetchmail, etc.
http://www.mail-archive.com/openssl-dev@openssl.org/msg26800.html
jdstrand
NSS 3.12.6 has support for the new renegotiation extension for TLS
to implement rfc5746. NSS clients advertise their support for this
extension and if the server also supports it, will be protected from this
vulnerability. To maintain compatibility, NSS in Ubuntu will for the
foreseeable future use the so-called 'transitional' mode which will fall back
to the unprotected renegotiation method if the server doesn't support the
new extension.
NSS was fixed in Ubuntu 9.10 because the new Firefox required it.
Because Firefox needs changes to take advantage of the new NSS, once Ubuntu
8.04 LTS - 9.04 are updated to use an embedded NSS (and therefore won't use
the system NSS), we can update the system NSS for these releases.
When upgrading the system NSS on Ubuntu 8.04 LTS - 9.04, be careful
about https://launchpad.net/bugs/559881 and https://launchpad.net/bugs/559918
(regressions seen with the 9.10 update).
postgresql 8.1.20, 8.3.10 and 8.4.3 now have ssl_renegotiation_limit
to control session key renegotiation
preliminary GNUtls patches at (in 2.9.10 development release):
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3944
http://git.savannah.gnu.org/gitweb/?p=gnutls.git&a=search&h=HEAD&st=commit&s=renegotiation
mdeslaur
jetty 6.1.22 has a CVE-2009-3555 fix: "Prevent SSL renegotiate
for SSL vulnerability"
jdstrand
RedHat RHSA-2010:0396-01 adds the "SSLInsecureRenegotiation"
configuration directive to apache
mdeslaur
gnutls doesn't have an API for renegotiations, so ignoring.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
dapper
Released (2.0.55-4ubuntu2.9)
hardy
Released (2.2.8-1ubuntu0.14)
intrepid
Released (2.2.9-7ubuntu3.5)
jaunty
Released (2.2.11-2ubuntu2.5)
karmic
Released (2.2.12-1ubuntu2.1)
lucid
Released (2.2.14-2ubuntu1)
upstream
Released (2.2.14-2)
Patches:
vendor: http://www.mandriva.com/en/security/advisories?name=MDVSA-2009:295
vendor: https://rhn.redhat.com/errata/RHSA-2010-0396.html

gnutls12
Launchpad, Ubuntu, Debian
dapper Ignored

hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

upstream Needed

Patches:


vendor: https://rhn.redhat.com/errata/RHSA-2010-0166.html
gnutls13
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Ignored

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

upstream Needed

gnutls26
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

intrepid Ignored
(end of life, was needed)
jaunty Ignored

karmic Ignored

lucid Ignored

upstream
Released (2.10.0)
libapache-mod-ssl
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

upstream Needs triage

nss
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (3.12.6-0ubuntu0.8.04.1)
intrepid Ignored
(end of life, was needed)
jaunty
Released (3.12.6-0ubuntu0.9.04.1)
karmic
Released (3.12.6-0ubuntu0.9.10.1)
lucid
Released (3.12.6-0ubuntu2)
upstream
Released (3.12.6)
openjdk-6
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (6b11-2ubuntu2.2)
intrepid
Released (6b12-0ubuntu6.7)
jaunty
Released (6b14-1.4.1-0ubuntu13)
karmic
Released (6b16-1.6.1-3ubuntu3)
lucid Not vulnerable
(6b18~pre4-0ubuntu1)
upstream
Released (6b18~pre4-1)
openjdk-6b18
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

intrepid Does not exist

karmic Not vulnerable
(6b18-1.8.4-0ubuntu1~9.10.1)
lucid Not vulnerable
(6b18-1.8.3-0ubuntu1~10.04.1)
maverick
Released (6b18-1.8.2-4ubuntu1)
upstream
Released (6b22)
openssl
Launchpad, Ubuntu, Debian
dapper
Released (0.9.8a-7ubuntu0.12)
hardy
Released (0.9.8g-4ubuntu3.10)
intrepid Ignored
(end of life, was needed)
jaunty
Released (0.9.8g-15ubuntu3.5)
karmic
Released (0.9.8g-16ubuntu3.2)
lucid
Released (0.9.8k-7ubuntu8.1)
upstream
Released (0.9.8m)
sun-java6
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (6.22-0ubuntu1~9.04.1)
jaunty
Released (6.22-0ubuntu1~9.04.1)
karmic
Released (6.22-0ubuntu1~9.10.1)
lucid
Released (6.22-0ubuntu1~10.04)
maverick
Released (6.22-0ubuntu1~10.10)
upstream
Released (6.22)

References

Bugs