[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96125

 
 

909

 
 

78020

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2011-3389

Date: (C)2011-09-06   (M)2017-09-22
 
CVSS Score: 4.3Access Vector: NETWORK
Exploitability Subscore: 8.6Access Complexity: MEDIUM
Impact Subscore: 2.9Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: NONE
 Availability: NONE











The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Reference:
SECTRACK-1025997
SECTRACK-1026103
SECTRACK-1029190
http://seclists.org/fulldisclosure/2015/Apr/5
SECUNIA-45791
SECUNIA-48692
SECUNIA-48915
SECUNIA-48948
SECUNIA-49198
BID-49388
BID-49778
SECUNIA-55322
SECUNIA-55350
SECUNIA-55351
OSVDB-74829
APPLE-SA-2011-10-12-1
APPLE-SA-2011-10-12-2
APPLE-SA-2012-02-01-1
APPLE-SA-2012-05-09-1
APPLE-SA-2012-07-25-2
APPLE-SA-2012-09-19-2
APPLE-SA-2013-10-22-3
GLSA-201406-32
HPSBMU02742
HPSBMU02900
HPSBUX02730
IAVM:2012-A-0048
IAVM:2012-A-0152
IAVM:2012-B-0006
IAVM:2013-A-0199
IAVM:2013-B-0075
IAVM:2014-A-0030
MS12-006
RHSA-2011:1384
RHSA-2012:0006
RHSA-2013:1455
SSRT100710
SSRT100740
SSRT100805
SSRT100854
SSRT100867
SUSE-SU-2012:0114
SUSE-SU-2012:0122
TA12-010A
USN-1263-1
VU#864643
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
http://downloads.asterisk.org/pub/security/AST-2016-001.html
http://ekoparty.org/2011/juliano-rizzo.php
http://eprint.iacr.org/2004/111
http://eprint.iacr.org/2006/136
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html
http://support.apple.com/kb/HT4999
http://support.apple.com/kb/HT5001
http://support.apple.com/kb/HT5130
http://support.apple.com/kb/HT5281
http://support.apple.com/kb/HT5501
http://support.apple.com/kb/HT6150
http://technet.microsoft.com/security/advisory/2588513
http://vnhacker.blogspot.com/2011/09/beast.html
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://www.ibm.com/developerworks/java/jdk/alerts/
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
http://www.insecure.cl/Beast-SSL.rar
http://www.opera.com/docs/changelogs/mac/1151/
http://www.opera.com/docs/changelogs/mac/1160/
http://www.opera.com/docs/changelogs/unix/1151/
http://www.opera.com/docs/changelogs/unix/1160/
http://www.opera.com/docs/changelogs/windows/1151/
http://www.opera.com/docs/changelogs/windows/1160/
http://www.opera.com/support/kb/view/1004/
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
https://bugzilla.novell.com/show_bug.cgi?id=719047
https://bugzilla.redhat.com/show_bug.cgi?id=737506
openSUSE-SU-2012:0030
openSUSE-SU-2012:0063

CPE    4
cpe:/a:microsoft:ie
cpe:/a:google:chrome
cpe:/o:microsoft:windows
cpe:/a:mozilla:firefox
...
CWE    1
CWE-20
OVAL    70
oval:org.secpod.oval:def:600676
oval:org.secpod.oval:def:102985
oval:org.secpod.oval:def:103115
oval:org.secpod.oval:def:103384
...

© 2013 SecPod Technologies