An OpenSource VooDoo cIRCle - security advisory 20091112-01

Persistent URL of this advisory is available at


In Win32/64 binary releases there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.


From Secunia's advisory at
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations. This can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM) attacks.

Successful exploitation may allow e.g. sending an arbitrary HTTP request under an authenticated context if certificate-based authentication is used by the server.

Fixed in the CVS repository by disabling renegotiation support:

Provided and/or discovered by:
Independently discovered by Marsh Ray, PhoneFactor and Martin Rex.

Original Advisory:
Martin Rex:


OpenSSL project released library version 0.9.8l, which is including fixes in CVS repository, at VooDoo cIRCle version 1.1.38 binary distribution for Windows systems includes builds of OpenSSL version 0.9.8l, thus are not affected by this vulnerability.
All versions prior to 1.1.38 are affected by this security vulnerability. VooDoo cIRCle 1.1.38 binary relases for Win32/64 are not affected by this security vulnerability. Versions using older OpenSSL library, though on any platform, or custom builds, might be vulnerable, that is, both all oficially binary-distributed versions of VooDoo cIRCle prior to 1.1.38, and those linked against vulnerable OpenSSL library are affected by this vulnerability.

Special note

OpenSSL library version 0.9.8l protexts only secure listening server sockets. However, VooDoo cIRCle can act as a client as well, and library leaves secure client sockets uprotected.
See for more informations.
Thanks to Stefan Cornelius, Security Specialist at for notifying me regarding this problem.


There is no known workaround at this time.


Update to the latest version, VooDoo cIRCle 1.1.38, which is not vulnerable.

All Windows users using binary builds are strongly encouraged to download the latest version of VooDoo cIRCle.

Time line

2009-11-06 - Received notification about OpenSSL vulnerability from
2009-11-12 - Release of VooDoo cIRCle 1.1.38, public disclosure - this advisory.


2009-11-12 - Initial revision
2009-11-13 - Updated informations regarding client TLS socket connections: "Special note" section.

Legal notice

Some names used in this document may be registered trademarks of their respective owners.

Get VooDoo cIRCle at Fast, secure and Free Open Source software downloads