An OpenSource VooDoo cIRCle - security advisory 20091112-02

Persistent URL of this advisory is available at


In Win32 binary release of sub-project XTelnet there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.


From Secunia's advisory at
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations. This can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM) attacks.

Successful exploitation may allow e.g. sending an arbitrary HTTP request under an authenticated context if certificate-based authentication is used by the server.

Fixed in the CVS repository by disabling renegotiation support:

Provided and/or discovered by:
Independently discovered by Marsh Ray, PhoneFactor and Martin Rex.

Original Advisory:
Martin Rex:



There is no known workaround at this time.


There is no solution at this time.
See for more informations.
Thanks to Stefan Cornelius, Security Specialist at for notifying me regarding this problem.

All Windows users using binary builds are strongly encouraged to download the latest version of XTelnet.

Time line

2009-11-06 - Received notification about OpenSSL vulnerability from
2009-11-12 - Release of VooDoo cIRCle 1.1.38, public disclosure - this advisory.


2009-11-12 - Initial revision
2009-11-13 - Updated informations regarding client TLS socket connections: "Solution" section.

Legal notice

Some names used in this document may be registered trademarks of their respective owners.

Get VooDoo cIRCle at Fast, secure and Free Open Source software downloads