Vulnerability Note VU#864643
SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes
A vulnerability in the specification of the SSL 3.0 and TLS 1.0 protocols could allow an attacker to decrypt encrypted traffic.
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network application protocols such as HTTP, IMAP, POP3, LDAP, SMTP, and others. Several different versions of the SSL and TLS protocols have been standardized and are in widespread use. These protocols support the use of both block-based and stream-based ciphers.
A vulnerability in the way the SSL 3.0 and TLS 1.0 protocols select the initialization vector (IV) when operating in cipher-block chaining (CBC) modes allows an attacker to perform a chosen-plaintext attack on encrypted traffic. This vulnerability has been addressed in the specification for the TLS 1.1 and TLS 1.2 protocols.
An attacker with the ability to pose as a man-in-the-middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS-encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Affected||-||27 Sep 2011|
|Microsoft Corporation||Affected||-||27 Sep 2011|
|Mozilla||Affected||-||28 Sep 2011|
|Opera||Affected||-||08 Dec 2011|
|Apple Inc.||Unknown||-||27 Sep 2011|
|GnuTLS||Unknown||-||27 Sep 2011|
|OpenSSL||Unknown||-||27 Sep 2011|
CVSS Metrics (Learn More)
Thanks to Thái Duong working with Matasano and Juliano Rizzo of Netifera for reporting the practical attack against this vulnerability. Wei Dai and Bodo Möller identified the underlying flaw in the context of SSL and TLS.
This document was written by Chad R Dougherty.
- CVE IDs: CVE-2011-3389
- Date Public: 08 Feb 2002
- Date First Published: 27 Sep 2011
- Date Last Updated: 08 Dec 2011
- Severity Metric: 3.37
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.