An OpenSource VooDoo cIRCle - security advisory 20091112-02


Persistent URL of this advisory is available at http://voodoo-circle.sourceforge.net/sa/sa-20091112-02.html

Summary

In Win32 binary release of sub-project XTelnet there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.

In-depth

From Secunia's advisory at http://secunia.com/advisories/37291/:
---
Description:
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations. This can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM) attacks.

Successful exploitation may allow e.g. sending an arbitrary HTTP request under an authenticated context if certificate-based authentication is used by the server.

Fixed in the CVS repository by disabling renegotiation support:
http://cvs.openssl.org/chngview?cn=18790

Provided and/or discovered by:
Independently discovered by Marsh Ray, PhoneFactor and Martin Rex.

Original Advisory:
Martin Rex:
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html

PhoneFactor:
http://extendedsubset.com/?p=8
---

Workaround

There is no known workaround at this time.

Solution

There is no solution at this time.
See http://openssl.org/news/secadv_20091111.txt for more informations.
Thanks to Stefan Cornelius, Security Specialist at http://secunia.com/ for notifying me regarding this problem.

All Windows users using binary builds are strongly encouraged to download the latest version of XTelnet.

Time line

2009-11-06 - Received notification about OpenSSL vulnerability from http://secunia.com/.
2009-11-12 - Release of VooDoo cIRCle 1.1.38, public disclosure - this advisory.

Cahngelog

2009-11-12 - Initial revision
2009-11-13 - Updated informations regarding client TLS socket connections: "Solution" section.

Legal notice

Some names used in this document may be registered trademarks of their respective owners.

Get VooDoo cIRCle at SourceForge.net. Fast, secure and Free Open Source software downloads