CVE-2011-3389

high

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

References

https://medium.com/tenable-techblog/meltdown-of-critical-ics-vulnerabilities-8af3a1a13e6a

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752

https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006

https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

https://bugzilla.redhat.com/show_bug.cgi?id=737506

https://bugzilla.novell.com/show_bug.cgi?id=719047

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail

http://www.us-cert.gov/cas/techalerts/TA12-010A.html

http://www.ubuntu.com/usn/USN-1263-1

http://www.securityfocus.com/bid/49778

http://www.securityfocus.com/bid/49388

http://www.redhat.com/support/errata/RHSA-2012-0006.html

http://www.redhat.com/support/errata/RHSA-2011-1384.html

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.opera.com/support/kb/view/1004/

http://www.opera.com/docs/changelogs/windows/1160/

http://www.opera.com/docs/changelogs/windows/1151/

http://www.opera.com/docs/changelogs/unix/1160/

http://www.opera.com/docs/changelogs/unix/1151/

http://www.opera.com/docs/changelogs/mac/1160/

http://www.opera.com/docs/changelogs/mac/1151/

http://www.kb.cert.org/vuls/id/864643

http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

http://www.ibm.com/developerworks/java/jdk/alerts/

http://www.debian.org/security/2012/dsa-2398

http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

http://vnhacker.blogspot.com/2011/09/beast.html

http://technet.microsoft.com/security/advisory/2588513

http://support.apple.com/kb/HT6150

http://support.apple.com/kb/HT5501

http://support.apple.com/kb/HT5130

http://support.apple.com/kb/HT5001

http://support.apple.com/kb/HT4999

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://security.gentoo.org/glsa/glsa-201203-02.xml

http://secunia.com/advisories/55351

http://secunia.com/advisories/55350

http://secunia.com/advisories/55322

http://secunia.com/advisories/49198

http://secunia.com/advisories/48948

http://secunia.com/advisories/48915

http://secunia.com/advisories/48692

http://secunia.com/advisories/48256

http://secunia.com/advisories/47998

http://secunia.com/advisories/45791

http://rhn.redhat.com/errata/RHSA-2012-0508.html

http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue

http://marc.info/?l=bugtraq&m=134254957702612&w=2

http://marc.info/?l=bugtraq&m=134254866602253&w=2

http://marc.info/?l=bugtraq&m=133728004526190&w=2

http://marc.info/?l=bugtraq&m=133365109612558&w=2

http://marc.info/?l=bugtraq&m=132872385320240&w=2

http://marc.info/?l=bugtraq&m=132750579901589&w=2

http://isc.sans.edu/diary/SSL+TLS+part+3+/11635

http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html

http://eprint.iacr.org/2006/136

http://eprint.iacr.org/2004/111

http://downloads.asterisk.org/pub/security/AST-2016-001.html

http://curl.haxx.se/docs/adv_20120124B.html

http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx

http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/

Details

Source: Mitre, NVD

Published: 2011-09-06

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High