SA44 : TLS/SSLv3 renegotiation (CVE-2009-3555)
SUMMARY
TLS and SSLv3 are vulnerable to a man-in-the-middle attack. This vulnerability is due to a design flaw in the cipher suite renegotiation capability of the protocol, not to a particular implementation defect. The vulnerability allows an attacker to insert his own traffic into the beginning of the client’s application protocol stream.
In order to fully protect against this threat, clients as well as origin content servers must be updated to support secure TLS renegotiation as defined in RFC 5746.
Blue Coat Systems is fixing this vulnerability across all currently supported product lines by implementing RFC 5746 to allow, but not require, secure renegotiation.
AFFECTED PRODUCTS
The following products are vulnerable.
Director
All versions of Director prior to 5.5.2.3 are vulnerable.
Secure renegotiation support is provided in the following releases. By default, secure renegotiation is required. A CLI option to support but not require secure renegotiation is available.
Director 5.5 - an interim fix is available in 5.5.2.3.
Director 5.4 and earlier - please upgrade to a later version.
IntelligenceCenter
All versions of Intelligence Center prior to 3.1.1.1 are vulnerable.
Secure renegotiation support is provided in the following releases. Clients that support secure renegotiation will be allowed to renegotiate a session key. Clients that do not support secure renegotiation can establish an SSL/TLS session but cannot perform legacy renegotiations.
IntelligenceCenter 3.1 - a fix is available in 3.1.1.1.
IntelligenceCenter 2.1 and earlier - please upgrade to a later version.
PacketShaper
All versions of PacketShaper prior to 8.5.5 are vulnerable. All versions of PacketShaper 8.6 are vulnerable. All versions of 8.7 are not vulnerable.
Management connections to PacketShaper and connections from PacketShaper to LDAP configuration servers are vulnerable to an attack.
Traffic passing through PacketShaper for classification and shaping cannot be affected since PacketShaper does not serve as a TLS/SSL endpoint. Compression and acceleration tunnels do not use SSL so are not affected.
Secure renegotiation support is provided in the following releases. A CLI option to require secure renegotiation is available. Secure renegotiation is disabled by default.
PacketWise 8.7 - a fix is available in 8.7.1.
PacketWise 8.6 - please upgrade to a later version.
PacketWise 8.5 - a fix is available in 8.5.5.
ProxyAV
All versions of ProxyAV prior to 3.4.1.1 are vulnerable.
Secure renegotiation support is provided in the following releases. Clients that support secure renegotiation will be allowed to renegotiate a session key by default. An option is provided in the Management Console to allow clients that do not support secure renegotiation to access ProxyAV.
ProxyAV 3.4 - a fix is available in 3.4.1.1.
ProxyAV 3.3 - a fix is available in 3.3.1.1.
ProxyAV 3.2 and earlier - please upgrade to a later version.
ProxySG
All versions of ProxySG prior to 6.1 are vulnerable.
ProxySG uses TLS/SSL to accelerate and control traffic, for management and configuration operations, to interact with other Blue Coat products, and to interact with third-party and other Blue Coat servers. All TLS/SSL connections are vulnerable to an attack. ProxySG cannot protect against an attack.
Secure renegotiation support is provided in the following releases. A CLI option to require secure renegotiation is available and is disabled by default. To enable the option, set the ssl command option force-secure-renegotiation to enable .
ProxySG 6.1 - a fix is available in SGOS 6.1.1.1 or later.
ProxySG 5.5 - a fix is available in SGOS 5.5.4.1.
ProxySG 5.4 - a fix is available in SGOS 5.4.5.1 or later. If you are intercepting SSL, Blue Coat recommends that you upgrade to SGOS 5.4.6.1.
ProxySG 5.3 - please upgrade to a later version.
ProxySG 4.3 - a fix is available in SGOS 4.3.4.1.
Reporter
All versions of Reporter prior to 9.2.4.1 are vulnerable.
Blue Coat recommends that Reporter be deployed behind the firewall. Given this typical deployment, the CVSS v2 base score is 4.8 (AV:A/AC:L/Au:N/C:N/I:P/A:P).
Secure renegotiation support is provided in the following releases. The 9.2 releases do not provide an option to require secure renegotiation. The 9.3 and later releases provide an option to force secure renegotiation.
Reporter 9.3 - a fix is available in 9.3.1.1 and later.
Reporter 9.2 -a fix is available in 9.2.4.1.
Reporter 8.3 and earlier - please upgrade to a later version.
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable to attack because they use SSL/TLS libraries that are provided by the platform. Blue Coat recommends that customers update the underlying operating systems for these products.
ProxyClient
The Proxy Client uses the on-platform TLS/SSL libraries provided by Microsoft. It only establishes a TLS/SSL connection to ProxySG to download new files and configuration and to upload monitoring information. If the connection to ProxySG is targeted, the attacker is limited to injecting malformed or misleading monitoring information.
K9
K9 uses the on-platform TLS/SSL libraries provided by Microsoft.
The following Blue Coat services do not support secure renegotiation at the current time:
- license download
- secure heartbeat
- appliance birth certificate issuance
The following Blue Coat services now support secure renegotiation:
- BCWF download
- image downloads
Secure connections between Blue Coat products will fail unless both products are updated to support secure renegotiation. For example, a secure ICAP connection between ProxySG and ProxyAV will fail unless both products are updated.
Secure connections with third-party servers will fail unless the third party server has been updated to support secure renegotiation. For example, uploading access logs via HTTPS to an Apache or IIS server that has not been updated will fail.
ISSUES
The TLS protocol and SSLv3 protocols do not properly associate renegotiation handshakes with an existing connection. This allows an attacker to insert content of his choice at the beginning of the client’s interaction with the server. The attacker will not be able to read the traffic between the client and server.
Initial exploits of this vulnerability have focused on the HTTP protocol. Other protocols that use TLS/SSLv3 are vulnerable as well.
The IETF TLS working group has published RFC 5746 that specifies enhancements to the protocol to support secure renegotiation. Blue Coat Systems is implementing the RFC across affected product lines.
By default, products will support secure renegotiation, but will not require it. This allows Blue Coat products to preserve backward compatibility with servers and clients that do not support secure renegotiation.
Options are available for each product to require secure renegotiation, thereby providing full protection against attacks that exploit this vulnerability. However, requiring secure renegotiation will cause SSL/TLS connections to clients and/or servers that do not support secure renegotiation to fail.
REFERENCES
National Vulnerability Database information: https://nvd.nist.gov/vuln/detail/CVE-2009-3555
RFC 5746: http://www.rfc-editor.org/rfc/rfc5746.txt
REVISION
2015-01-20 Marked as final
2012-12-20 Added fix for ProxyAV 3.3
2012-01-31 Update on PacketWise.
2012-01-18 Update on PacketWise.
2012-01-17 Change to indicate Reporter 9.3.1.1 or later has the option to require secure renegotiation.
2012-01-12 Notificaiton of option in Reporter to force secure renegotiation. Added additional OS search strings.
2012-01-11 Notification of a fix in ProxyAV.
2012-01-10 Notification of a fix in IntelligenceCenter.
2011-09-13 Notification of a Director 5.5 patch release. Minor update for Reporter versions that are vulnerable.
2011-02-04 Notification of SGOS fix in SGOS 5.5.4.1 and SGOS 4.3.4.1. Changed SGOS 5.4.x recommended version fix to SGOS 5.4.6.1. Notification of Reporter fix in 9.2.4.1.
2010-11-01 Notification of ProxySG fix in 5.5.3.5 patch release.
2010-10-27 Notification of ProxySG version 5.4.5.1 patch release being promoted to GA release. Notification that the BCWF download and image download services now support secure renegotiation.
2010-10-15 Notification of ProxySG fix in 5.4.5.1 patch release.
2010-10-01 Additional details added. Notificaiton of ProxySG fix in 6.1.1.1.
2010-05-20 Clarification on the need to patch clients and origin content servers
2010-02-23 Initial public release