SSL/TLS Vulnerability Widely Unpatched

← Back to Stories (view on slashdot.org)

SSL/TLS Vulnerability Widely Unpatched

Posted by Soulskill on Monday June 20, 2011 @07:46AM from the never-put-off-until-tomorrow-what-you-can-forget-entirely dept.

kaiengert writes "In November 2009 a Man-In-the-Middle vulnerability for SSL/TLS/https was made public (CVE-2009-3555), and shortly afterwards demonstrated to be exploitable. In February 2010 researchers published RFC 5746, which described how servers and clients can be made immune. Software that implements the TLS protocol enhancements became available shortly afterwards. Most modern web browsers are patched, but the solution requires that both browser developers and website operators take action. Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix. Here is an exemplary list of patched and unpatched sites, along with more background information. The patched sites demonstrate that patching is indeed possible."

17 of 103 comments (clear)

Min score:

Reason:

Sort:

I recall that firefox detects this by roguegramma · 2011-06-20 07:54 · Score: 2

I recall that firefox detects this, so using firefox + firebug and checking the console might tell you if a site is vulnerable.

--
Hey don't blame me, IANAB
Not as surprising as it should be by Tarlus · 2011-06-20 07:57 · Score: 4, Insightful

Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix.
Lately we've also been finding out that many major websites are storing passwords as plain text and are untested against SQL injection. So it's unsurprising that they're also unpatched.
Web servers need to be actively watched, maintained and scanned for vulnerabilities. Just because it's a LAMP server doesn't mean it's rock-solid. The fire-and-forget philosophy does not apply.

--
/* No Comment */
1. Re:Not as surprising as it should be by Hyppy · 2011-06-20 08:01 · Score: 2
  
  Lately we've also been finding out that many major websites are storing passwords as plain text and are untested against SQL injection. So it's unsurprising that they're also unpatched.
  Web servers need to be actively watched, maintained and scanned for vulnerabilities. Just because it's a LAMP server doesn't mean it's rock-solid. The fire-and-forget philosophy does not apply.
  The problem is generally far beyond the necessary LAMP or IIS patching: The vulnerabilities you describe are flaws in the site's design and code. You can't patch a stupid divaloper.
2. Re:Not as surprising as it should be by Anonymous Coward · 2011-06-20 08:13 · Score: 4, Funny
  
  You can't patch a stupid divaloper.
  Diva-loper:
  1. (n) A portmanteau of diva and interloper. It describes a software developer (or programmer) who believes themselves to be excellent at their craft, while an independent review of their developed code will demonstrate that the person has no business touching a computer.
  2. (n) A singer (diva) who gets married in Vegas (elopes).
3. Re:Not as surprising as it should be by Anonymous Coward · 2011-06-20 08:39 · Score: 3, Insightful
  
  Well that depends. Some orgs the developers show up build the system then it is up to operations to keep it going. Or contract it out. Or some 3rd party 'handles it'. Some are afraid to change anything. Others have stacks of legal hurdles to jump thru. Others have SLA's they have to keep up with...
  A developer who saw it would say 'yeah just fix and reboot'. But the IT org would say uh we have about 2 mins downtime per year it will happen in six months.
4. Re:Not as surprising as it should be by morcego · 2011-06-20 08:47 · Score: 3, Insightful
  
  Besides the obvious "stupid divaloper" joke, and I will refrain from making, I agree the problem is much bigger.
  It is what I call the "Windows Mentality". "So simple anyone can do it" is another way of stating it.
  Companies (Microsoft is a leader on this) sell their software as something extremely simple, that anyone can install, run and maintain. And, for someone who doesn't understand it (a good number of managers, CEOs and director), it actually looks that simple. Well, guess again ? It is not. I'm sorry, but your 17 years old intern (hourly rate = 1 candle bar) can't install and maintain a good server. You need to have someone who actually knows what he is doing, has the experience and the knowledge to do it well. Oh ? Too expensive, is it ? Really ? I suppose you take your Porche to be serviced buy that tatooed guy at the gas station too ?
  Nope, sorry. There are no simple server. Windows, Linux (LAMP or otherwise). They all require skilled admins, skilled coders and skilled designers. And those cost money. They require regular and constant maintenance. In other words: money.
  That is the real problem. Most companies are just cheap.
  
  --
  morcego
5. Re:Not as surprising as it should be by Mysteray · 2011-06-20 09:11 · Score: 2
  
  For the record, Microsoft pushed out (via Windows Update) a patch fully implementing the fix for this well before many other vendors (including some popular Linux distros) did, even though their server (IIS) wasn't nearly as vulnerable in its default configuration as Apache+OpenSSL.
6. Re:Not as surprising as it should be by Gaygirlie · 2011-06-20 09:34 · Score: 2
  
  I'm somehow not at all surpised to see Adobe, Microsoft, Apple and HP servers marked as BAD on that list. What is surprising however is the low number of sites marked as GOOD. Don't admins follow IT security news, are they only given 2 minutes a year to restart the server and/or services, or are they just incompetent?
7. Re:Not as surprising as it should be by jd · 2011-06-20 09:51 · Score: 2
  
  Sufficient duct tape should patch the developers just fine.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:Self test? by Mysteray · 2011-06-20 08:00 · Score: 5, Informative

I like Qualys' SSL Labs
Re:Self test? by caljorden · 2011-06-20 08:28 · Score: 4, Informative

I spent a few minutes looking for the same thing, and found that Firefox includes a check. If you visit an HTTPS site that is not secure, you will get a message in the Error Console under Messages saying something like this:
site.example.com : server does not support RFC 5746, see CVE-2009-3555
For more information, see https://wiki.mozilla.org/Security:Renegotiation
Windows Server MS10-049 & KB980436 by Anonymous Coward · 2011-06-20 08:30 · Score: 4, Informative

After reading this article I ran a quick audit on all of our server farms and noticed that KB980436 was dutifully installed Sept 2010...however, upon closer scrutiny I noticed that this Security Patch from Microsoft doesn't prevent this vulnerability by default (but rather keeps it in "Compatibility Mode" by default). Windows SysAdmins need to take care to read MS10-049 and add the appropriate RegKeys to enforce "Strict Mode" to keep their servers from being vulnerable to this exploit. FYI, downloading and installing KB980436 is not enough.
Re:Unexploitable vuln? by Calos · 2011-06-20 08:31 · Score: 3, Interesting

Interesting question. I guess you could argue that a theoretical shortcoming isn't a vulnerability if there's no practical exploit.
But that ignores the temporal part of it. It is only not a vulnerability, because it's not practically exploitable right now. Things change, technology changes, new avenues for attacking the shortcoming open up.
It's like the recent proven exploit we saw a few days ago on a quantum message transfer. The method had been theorized, but never been shown. Now that it's been shown, it can be taken more seriously.

--
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
Re:Unexploitable vuln? by compro01 · 2011-06-20 08:34 · Score: 2

Depends on your definition of "vulnerability". For example, there's a vulnerability in AES's key schedule that weakens the 256 and 192 bit versions down to roughly 99.5 bits security. However, this is not an exploitable vulnerability, as the stars will still have all gone cold and dark by that time.

--
upon the advice of my lawyer, i have no sig at this time
Re:Is there a better explanation of the fix? by Mysteray · 2011-06-20 09:01 · Score: 2

I mentioned Qualys' SSL Labs nice test utility in another comment.
The fix is to ask your vendor for a patch for CVE-2009-3555 which implements RFC 5746 Transport Layer Security (TLS) Renegotiation Indication Extension. Responsible vendors will have implemented support for RFC 5746 by now so you may already be patched.
Wells Fargo Bank is ONE! by al0ha · 2011-06-20 10:38 · Score: 2

Last week my Father sent me the debug output of a NoScript dump where Abe detected potential XSS while he was connecting to Wells Fargo Online Banking - the XSS was bogus but among the other messages was this disheartening line printed over and over again:

www.wellsfargo.com : server does not support RFC 5746, see CVE-2009-3555

Almost as lame as Citi's CC numbers in the URL string.

--
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Re:A warning against banner-grabbing vuln scans by dgatwood · 2011-06-20 11:06 · Score: 3, Interesting
According to the page in question, the test methodology is:
1. Connect with RFC 5746. Upon success, mark as "Good".
2. If the connection fails, the site is not patched. Send a request "HEAD / HTTP/1.1" without using RFC 5746, and save the response for later comparison.
3. Run the actual test. This basically does the following:
- Connect.
- Send part of the request.
- Renegotiate.
- Send the rest of the request
- Check to see if the status code matches the status code from step 2.
If a site has been updated with a partial hotfix, it should either disconnect or sent an HTTP status code in the 400s. These sites are flagged as "Uncertain" because the server might initiate a renegotiation. If the site sends data after the second handshake and the response code is the same as the response code from step #2, it is marked as BAD.
Discuss.
--
Check out my sci-fi/humor trilogy at PatriotsBooks.