Transport Layer Security (TLS) handshake renegotiation weak security (TLS_Server_Cipher_Renegotiation)

About this signature or vulnerability

Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Network Protection, IBM Security Host Protection for Servers (Windows), Proventia Network MFS, RealSecure Server Sensor, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia-G 1.1 and earlier:

TThis signature detects SSL/TLS session where a TLS server requests a cipher renegotiation after encrypted application data has been transmitted. This behavior is not common under most normal circumstances and may indicate that a man-in-the-middle attack is taking place.


False positives

Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Network Protection, IBM Security Host Protection for Servers (Windows), Proventia Network MFS, RealSecure Server Sensor, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia-G 1.1 and earlier: Each session contains valid traffic and legitimate traffic may cause this event to trigger a false positive under certain circumstances. Each session contains valid traffic and legitimate traffic may cause this event to trigger a false-positive under certain circumstances.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Virtual Server Protection for Vmware: 1.0, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 29.110, Proventia Network IPS: XPU 29.110, IBM Security Network Protection: 5.1, IBM Security Host Protection for Servers (Windows): 2.1.14.2450, Proventia Network MFS: XPU 29.110, IBM Security Host Protection for Servers (Windows): 1.0.914.2450, IBM Security Host Protection for Servers (Windows): 2.0.300.2450, RealSecure Server Sensor: XPU 29.110, Proventia Network IDS: XPU 29.110, IBM Security Host Protection for Desktops: 2450, Proventia-G 1.1 and earlier: XPU 29.110

Systems affected

Microsoft Internet Information Services: 7.5, RedHat Enterprise Linux: 5.4.z EUS, Blue Coat Systems Security Gateway OS (SGOS): 4.0, Blue Coat Systems Security Gateway OS (SGOS): 5.1, Blue Coat Systems Security Gateway OS (SGOS): 5.2, Blue Coat Systems Security Gateway OS (SGOS): 5.3, Blue Coat Systems Security Gateway OS (SGOS): 5.4, Aruba Networks ArubaOS: 3.3.2.X, Aruba Networks ArubaOS: 3.4.X, Microsoft Windows Server 2008: SP2 Itanium, Apple Mac OS X Server: 10.6.2, Apple Mac OS X: 10.6.2, PeerSec MatrixSSL: 1.8.7, VooDoo cIRCle: 1.1.38.7, OpenOffice OpenOffice.org: 3.2, Mozilla SeaMonkey: 2.0.2, Cisco Digital Media Manager (DMM): 5.0, Mozilla Firefox: 3.6, Sun JDK: 6 Update18, Sun JRE: 6 Update18, Sun JDK: 5.0 Update23, Sun SDK: 1.4.2_25, HP System Management Homepage: 6.0.0.95, HP System Management Homepage: 6.0.0.96, IBM Java SDK: 6.1, IBM Java SDK: 6.0, Sun Java System Application Server: 8.0 Enterprise, IBM Java SDK: 5.0, Sun OpenSolaris: 2009.06, IBM Java: 1.4, IBM Java: 5.0, IBM WebSphere DataPower SOA Appliances: 3.6.1, IBM WebSphere DataPower SOA Appliances: 3.7.1, IBM WebSphere DataPower SOA Appliances: 3.7.2, IBM WebSphere DataPower SOA Appliances: 3.7.3, IBM WebSphere DataPower SOA Appliances: 3.8, Sun GlassFish Enterprise Server: 2.1.1, IBM WebSphere DataPower, Oracle WebLogic Server: 10.3.2, Zeus Zeus Web Server: 4.3 r4, HP System Management Homepage: 3.0.0-64, HP System Management Homepage: 3.0.2-77, Mozilla Thunderbird: 3.0.1, RedHat Red Hat Enterprise Linux: 4.8.z Extras, RedHat Red Hat Enterprise Linux: 4.7.z Extras, HP Systems Insight Manager: 5.3, HP Systems Insight Manager: 5.3 Update 1, HP Systems Insight Manager: 6.0, RedHat RHEL Supplementary: 5.4.z EUS, Oracle WebLogic Server: 10.0 MP2, Oracle WebLogic Server: 10.3.3, Mandriva Linux: 2010 X86_64, Mandriva Linux: 2010, Mandriva Enterprise Server: 5 X86_64, Mandriva Enterprise Server: 5, BlueCoat Reporter: 9.2.3.1, BlueCoat Reporter: 8.3.7.1, BlueCoat Reporter: 9.1.5.1, Turbolinux Client: 2008, Turbolinux Appliance Server: 3.0 x64, Oracle Java for Business JRE: 6 Update 21, Oracle Java for Business JDK: 5 Update 25, Oracle Java for Business SDK: 1.4.2_27, Oracle Java for Business JRE: 1.4.2_27, Oracle Java for Business JDK: 6 Update 21, Turbolinux Appliance Server: 3.0, Oracle Transportation Management: 5.5.06.03, Oracle Transportation Management: 6.0.6, Oracle Transportation Management: 6.1.2, HP Systems Insight Manager: 6.1, Oracle Java SE JDK: 6 Update 21, Oracle Java SE JRE: 6 Update 21, Oracle Java SE JDK: 5 Update 25, Oracle Java SE SDK: 1.4.2_27, HP System Management Homepage: 6.0, HP System Management Homepage: 6.1, Blue Coat Systems Director: 5.x, Innominate Security Technologies mGuard: 5.x, Innominate Security Technologies mGuard: 6.x, Innominate Security Technologies mGuard: 7, RedHat Enterprise Linux: 6 Server, RedHat Enterprise Linux: 6 Workstation, Microsoft IIS: 7.0, HP Integrated Lights-Out 2 Firmware: 2.05, HP Integrated Lights-Out 3 Firmware: 1.16, HP Onboard Administrator: 3.31, HP Onboard Administrator: 3.21, HP System Management Homepage: 3.0, HP System Management Homepage: 2.1.15-210, HP System Management Homepage: 3.0.0-68, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 x32, FreeBSD FreeBSD: 7.2 pre-Release, GNU GnuTLS: 2.6.1, GNU GnuTLS: 2.6.2, GNU GnuTLS: 2.6.3, GNU GnuTLS: 2.6.4, GNU GnuTLS: 2.6.5, IBM DB2 Universal Database: 9.1 FP6, VMware ESX: 3.5, Ingate Ingate SIParator: 4.7, Ingate Ingate Firewall: 4.7, Microsoft Windows XP: SP3, Microsoft Windows Server 2008: x64, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: Itanium, GNU GnuTLS: 1.7.7, GNU GnuTLS: 1.7.4, GNU GnuTLS: 1.7.5, GNU GnuTLS: 1.7.10, GNU GnuTLS: 2.3.10, GNU GnuTLS: 1.7.11, GNU GnuTLS: 1.7.8, GNU GnuTLS: 1.7.9, IBM DB2: 9.7, GNU GnuTLS: 2.8.0, GNU GnuTLS: 1.5.1, GNU GnuTLS: 2.1.1, GNU GnuTLS: 1.6.1, GNU GnuTLS: 2.1.7, GNU GnuTLS: 1.6.2, GNU GnuTLS: 2.1.6, GNU GnuTLS: 1.5.5, GNU GnuTLS: 2.1.5, GNU GnuTLS: 1.6.0, GNU GnuTLS: 2.1.4, GNU GnuTLS: 1.7.2, GNU GnuTLS: 1.7.3, GNU GnuTLS: 2.3.1, GNU GnuTLS: 1.7.0, GNU GnuTLS: 2.3.0, GNU GnuTLS: 1.7.1, GNU GnuTLS: 2.1.8, GNU GnuTLS: 1.7.6, GNU GnuTLS: 2.5.0, GNU GnuTLS: 2.3.11, GNU GnuTLS: 2.3.2, GNU GnuTLS: 2.3.4, GNU GnuTLS: 2.3.3, GNU GnuTLS: 1.2.8.1a1, GNU GnuTLS: 1.7.14, GNU GnuTLS: 1.7.15, GNU GnuTLS: 1.7.12, GNU GnuTLS: 1.7.13, GNU GnuTLS: 1.7.18, GNU GnuTLS: 1.7.19, GNU GnuTLS: 2.2.5, GNU GnuTLS: 1.7.16, GNU GnuTLS: 2.2.4, GNU GnuTLS: 1.7.17, GNU GnuTLS: 1.5.0, GNU GnuTLS: 2.0.2, GNU GnuTLS: 1.4.4, GNU GnuTLS: 2.0.3, GNU GnuTLS: 1.4.3, GNU GnuTLS: 2.0.0, GNU GnuTLS: 1.4.2, GNU GnuTLS: 2.0.1, GNU GnuTLS: 1.5.4, GNU GnuTLS: 2.1.2, GNU GnuTLS: 1.5.3, GNU GnuTLS: 2.1.3, GNU GnuTLS: 1.5.2, GNU GnuTLS: 2.1.0, GNU GnuTLS: 2.6.6, GNU GnuTLS: 2.8.1, Apache HTTP Server: 2.2.13, IBM HTTP Server: 7.0, Apple Mac OS X: 10.5.8, Mozilla Nss: 3.11.4, Mozilla Nss: 3.4, Mozilla Nss: 3.0, Mozilla Nss: 3.12.2, Mozilla Nss: 3.12.1, Mozilla Nss: 3.5, Mozilla Nss: 3.4.2, Mozilla Nss: 3.4.3, Mozilla Nss: 3.4.1, Mozilla Nss: 3.6.1, Mozilla Nss: 3.10, Mozilla Nss: 3.9.5, Mozilla Nss: 3.9, Mozilla Nss: 3.7.7, Mozilla Nss: 3.7.5, Mozilla Nss: 3.7, Mozilla Nss: 3.7.1, Mozilla Nss: 3.7.2, Mozilla Nss: 3.7.3, Mozilla Nss: 3.8, Mozilla Nss: 3.3.2, Mozilla Nss: 3.3.1, Mozilla Nss: 3.3, Mozilla Nss: 3.2.1, Mozilla Nss: 3.2, Mozilla Nss: 3.11.7, Mozilla Nss: 3.12, Mozilla Nss: 3.6, Mozilla Nss: 3.11.2, Mozilla Nss: 3.11.8, IBM DB2 Universal Database: 9.1 FP7, Apache HTTP Server: 2.2.12, Microsoft Windows Server 2008: R2 Itanium, Apple Mac OS X Server: 10.5.8, RedHat Enterprise Linux: 4.8.z AS, RedHat Enterprise Linux: 4.8.z ES, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, OpenSSL OpenSSL: 0.9.7M, OpenSSL OpenSSL: 0.9.7A-2 I386 Dev, OpenSSL OpenSSL: 0.9.7A-2 I386, OpenSSL OpenSSL: 0.9.6-15 I386, OpenSSL OpenSSL: 0.9.7A-2 I386 Perl, OpenSSL OpenSSL: 0.9.6B-3 I386, OpenSSL OpenSSL: 1.0 Openvms, Citrix Secure Gateway: 3.1, HP ProCurve Threat Mgmt Services zl Module (J9155A): ST.1.0.090213, Mandriva Linux: 2009.1 X86_64, Mandriva Linux: 2009.1, Microsoft Windows 7: x64, Opera Opera Browser: 9.0, Mozilla Firefox: 3.5, FreeBSD FreeBSD: 8.0, Apache HTTP Server: 2.2.10, Apache HTTP Server: 2.2.7, Apache HTTP Server: 2.0.58 Win32, Apache HTTP Server: 2.1.9, Apache HTTP Server: 1.3.65, Apache HTTP Server: 1.99, Apache HTTP Server: 1.3.68, Apache HTTP Server: 1.2.4, Apache HTTP Server: 1.3.1.1, Apache HTTP Server: 1.2.6, Apache HTTP Server: 1.4.0, Apache HTTP Server: 2.0.46 Win32, Apache HTTP Server: 1.3.7 Dev, Apache HTTP Server: 2.2.11, OpenVPN OpenVPN: 2.1 rc8, OpenVPN OpenVPN: 2.1 beta14, Apache HTTP Server: 2.2.9, Sun Solaris: 9 SPARC, Sun Java System Web Proxy Server: 4.0 SP1, OpenSSL OpenSSL: 0.9.8h, GNU GnuTLS: 2.3.5, GNU GnuTLS: 2.3.6, GNU GnuTLS: 2.3.7, GNU GnuTLS: 2.3.8, GNU GnuTLS: 2.3.9, GNU GnuTLS: 2.4.0, FreeBSD FreeBSD: 6.4, HP System Management Homepage: 2.1.10, Ingate Ingate SIParator: 4.6.2, Ingate Ingate Firewall: 4.6.2, Sun OpenSolaris: build_snv_86 x86, Canonical Ubuntu: 8.10, HP System Management Homepage: 2.2.6, HP System Management Homepage: 2.2.8, GNU GnuTLS: 2.6.0, FreeBSD FreeBSD: 7.1, IBM DB2 Universal Database: 9.1 FP5, HP Systems Insight Manager: 5.2, Mandriva Linux: 2009.0 X86_64, Sun Java System Web Proxy Server: 4.0.7, Mandriva Linux: 2009.0, Sun OpenSolaris: build_snv_86 SPARC, ProFTPD ProFTPD: 1.3.2, Cisco ACE 4710, GNU GnuTLS: 2.4.1, GNU GnuTLS: 2.4.2, HP System Management Homepage: 2.1.0-103, HP System Management Homepage: 2.1.0-103(A), HP System Management Homepage: 2.1.0-109, HP System Management Homepage: 2.1.0-118, HP System Management Homepage: 2.1.10-186, HP System Management Homepage: 2.1.11-197, HP System Management Homepage: 2.1.12-118, HP System Management Homepage: 2.1.12-200, HP System Management Homepage: 2.1.2-127, HP System Management Homepage: 2.1.4-143, HP System Management Homepage: 2.1.5-146, HP System Management Homepage: 2.1.6-156, HP System Management Homepage: 2.1.7-168, HP System Management Homepage: 2.1.8-177, HP System Management Homepage: 2.1.9-178, Debian Debian Linux: 5.0, RedHat RHEL Supplementary: 5.3.z EUS, HP System Management Homepage: 2.1.12, JBoss Enterprise Web Server, RedHat Enterprise Linux Server EUS: 6.0.z, RedHat Enterprise Linux HPC Node Supplementary : 6, RedHat Enterprise Linux for SAP, RedHat Enterprise Linux Desktop Supplementary : 6, RedHat Enterprise Linux HPC Node : 6, RedHat Enterprise Linux Server Supplementary : 6, RedHat Enterprise Linux Workstation Supplementary : 6, RedHat Enterprise Linux Desktop : 6, HP Onboard Administrator: 3.32, HP Systems Insight Manager: 5.0 SP6, HP Systems Insight Manager: 6.2, HP Systems Insight Manager: 6.3, Canonical Ubuntu: 8.04 LTS, Aruba Networks Mobility Controller: 2.4.8.0-FIPS, GNU GnuTLS: 2.2.0, GNU GnuTLS: 2.2.1, GNU GnuTLS: 2.2.2, GNU GnuTLS: 2.2.3, GNU GnuTLS: 1.1.13, IBM DB2 Universal Database: 9.1 FP1, GNU GnuTLS: 1.4.5, GNU GnuTLS: 1.6.3, GNU GnuTLS: 2.0.4, RedHat RHEL Supplementary: 5.2.z EUS, OpenSSL OpenSSL: 0.9.8g, OpenSSL OpenSSL: 0.9.8f, Novell OpenSUSE: 11.0, Apache HTTP Server: 2.0.63, Apache HTTP Server: 2.2.8, Novell SUSE Linux Enterprise Desktop: 10 SP2, Novell SUSE Linux Enterprise: 10 SP2 DEBUGINFO, Novell SLE SDK: 10 SP2, HP System Management Homepage: 2.1.11, Novell SUSE Linux Enterprise Server: 10 SP2, Oracle WebLogic Server: 9.2 MP3, IBM OS 400: 5.2, OpenSSL OpenSSL: 0.9.8b, OpenSSL OpenSSL: 0.9.8c, OpenSSL OpenSSL: 0.9.8d, OpenSSL OpenSSL: 0.9.8e, OpenSSL OpenSSL: 0.9.7k, OpenSSL OpenSSL: 0.9.7l, OpenSSL OpenSSL: 0.9.7j, OpenSSL OpenSSL: 0.9.8, OpenSSL OpenSSL: 0.9.6, OpenSSL OpenSSL: 0.9.1c, OpenSSL OpenSSL: 0.9.2b, OpenSSL OpenSSL: 0.9.3, OpenSSL OpenSSL: 0.9.3a, OpenSSL OpenSSL: 0.9.4, OpenSSL OpenSSL: 0.9.5, OpenSSL OpenSSL: 0.9.5 Beta1, OpenSSL OpenSSL: 0.9.5 Beta2, OpenSSL OpenSSL: 0.9.5a, OpenSSL OpenSSL: 0.9.5a Beta1, OpenSSL OpenSSL: 0.9.5a Beta2, OpenSSL OpenSSL: 0.9.6c, OpenSSL OpenSSL: 0.9.6b, OpenSSL OpenSSL: 0.9.6a Beta3, OpenSSL OpenSSL: 0.9.6a Beta2, OpenSSL OpenSSL: 0.9.6a Beta1, OpenSSL OpenSSL: 0.9.6 Beta3, OpenSSL OpenSSL: 0.9.6 Beta2, OpenSSL OpenSSL: 0.9.6 Beta1, OpenSSL OpenSSL: 0.9.7i, OpenSSL OpenSSL: 0.9.7h, OpenSSL OpenSSL: 0.9.7g, OpenSSL OpenSSL: 0.9.7f, OpenSSL OpenSSL: 0.9.7e, OpenSSL OpenSSL: 0.9.7d, OpenSSL OpenSSL: 0.9.7 Beta6, OpenSSL OpenSSL: 0.9.7 Beta5, OpenSSL OpenSSL: 0.9.7 Beta4, OpenSSL OpenSSL: 0.9.7 Beta3, OpenSSL OpenSSL: 0.9.7 Beta2, OpenSSL OpenSSL: 0.9.7 Beta1, OpenSSL OpenSSL: 0.9.6d, OpenSSL OpenSSL: 0.9.6e, OpenSSL OpenSSL: 0.9.6f, OpenSSL OpenSSL: 0.9.6g, OpenSSL OpenSSL: 0.9.6h, OpenSSL OpenSSL: 0.9.6j, OpenSSL OpenSSL: 0.9.6l, OpenSSL OpenSSL: 0.9.6m, Novell Open Enterprise Server, Sun Java System Web Proxy Server: 4.0.3, Sun Java System Web Proxy Server: 4.0.2, OpenSSL OpenSSL: 0.9.6-15, OpenSSL OpenSSL: 0.9.6B-3, OpenSSL OpenSSL: 0.9.7A-2, Sun Java System Web Proxy Server: 4.0.4, Sun Java System Web Proxy Server: 4.0.5, Sun Java System Web Proxy Server: 4.0.6, IBM HTTP Server: 6.1, IBM HTTP Server: 6.0, HP System Management Homepage: 2.1.5, HP System Management Homepage: 2.0.0, HP System Management Homepage: 2.0.1, HP System Management Homepage: 2.0.2, HP System Management Homepage: 2.1, HP System Management Homepage: 2.1.1, HP System Management Homepage: 2.1.3, HP System Management Homepage: 2.1.3.132, HP System Management Homepage: 2.1.2, HP System Management Homepage: 2.1.4, GNU GnuTLS: 1.4.1, GNU GnuTLS: 1.3.5, GNU GnuTLS: 1.4.0, HP System Management Homepage: 2.1.6, HP System Management Homepage: 2.1.7, HP System Management Homepage: 2.1.8, HP System Management Homepage: 2.1.9, HP Systems Insight Manager, HP Systems Insight Manager: 4.0, HP Systems Insight Manager: 4.1, HP Systems Insight Manager: 4.2, HP Systems Insight Manager: 5.0, Citrix Secure Gateway: 3.0, GNU GnuTLS: 1.0.16, GNU GnuTLS: 1.0.17, GNU GnuTLS: 1.0.18, GNU GnuTLS: 1.0.19, GNU GnuTLS: 1.0.20, GNU GnuTLS: 1.0.21, GNU GnuTLS: 1.0.22, GNU GnuTLS: 1.0.23, GNU GnuTLS: 1.0.24, GNU GnuTLS: 1.0.25, GNU GnuTLS: 1.1.14, GNU GnuTLS: 1.1.15, GNU GnuTLS: 1.1.16, GNU GnuTLS: 1.1.17, GNU GnuTLS: 1.1.18, GNU GnuTLS: 1.1.19, GNU GnuTLS: 1.1.20, GNU GnuTLS: 1.1.21, GNU GnuTLS: 1.1.22, GNU GnuTLS: 1.1.23, GNU GnuTLS: 1.2.0, GNU GnuTLS: 1.2.1, GNU GnuTLS: 1.2.10, GNU GnuTLS: 1.2.11, GNU GnuTLS: 1.2.2, GNU GnuTLS: 1.2.3, GNU GnuTLS: 1.2.4, GNU GnuTLS: 1.2.5, GNU GnuTLS: 1.2.6, GNU GnuTLS: 1.2.7, GNU GnuTLS: 1.2.8, GNU GnuTLS: 1.2.9, GNU GnuTLS: 1.3.0, GNU GnuTLS: 1.3.1, GNU GnuTLS: 1.3.2, GNU GnuTLS: 1.3.3, GNU GnuTLS: 1.3.4, Apache HTTP Server: 0.8.14, Apache HTTP Server: 0.8.11, Apache HTTP Server: 1.0.3, Apache HTTP Server: 1.0.2, Apache HTTP Server: 1.0.5, Apache HTTP Server: 1.1.1, Apache HTTP Server: 2.0.44, Apache HTTP Server: 2.0.43, Apache HTTP Server: 2.0.32 Beta, Apache HTTP Server: 2.0.34 Beta, Apache HTTP Server: 1.3.38, Apache HTTP Server: 1.3.5, Apache HTTP Server: 1.3.7, Apache HTTP Server: 1.3.8, Apache HTTP Server: 1.3.15, Apache HTTP Server: 1.3.13, Apache HTTP Server: 1.3.30, Apache HTTP Server: 1.3.16, Apache HTTP Server: 2.0.45, Apache HTTP Server: 2.0.50, Apache HTTP Server: 2.0.53, Apache HTTP Server: 2.0.54, Apache HTTP Server: 2.0.58, Apache HTTP Server: 2.0.60, Apache HTTP Server: 2.0.61, Apache HTTP Server: 2.0.9, Apache HTTP Server: 2.0.56, Apache HTTP Server: 2.0.57, Apache HTTP Server: 2.1.1, Apache HTTP Server: 2.1.2, Apache HTTP Server: 2.1.3, Apache HTTP Server: 2.1.4, Apache HTTP Server: 2.1.5, Apache HTTP Server: 2.1.6, Apache HTTP Server: 2.1.7, Apache HTTP Server: 2.2, Apache HTTP Server: 2.2.1, Apache HTTP Server: 2.1.8, Avaya Communication Manager, IBM DB2 Universal Database: 9.1 FP2, IBM DB2 Universal Database: 9.1 FP3, IBM DB2 Universal Database: 9.1 FP4, OpenOffice OpenOffice.org: 2.0, Apache HTTP Server: 1.3.25, Apache HTTP Server: 1.3.18, Apache HTTP Server: 2.0.28, Apache HTTP Server: 2.0.35, Apache HTTP Server: 2.0.36, Apache HTTP Server: 2.0.32, Apache HTTP Server: 2.0.37, Apache HTTP Server: 2.0.41, Ingate Ingate SIParator: 4.5.1, Ingate Ingate Firewall: 4.5.1, Apache HTTP Server: 2.0.59, Apache HTTP Server: 2.2.4, Sun Java System Web Server: 7.0, Sun Java System Application Server: 8.1 Enterprise, Sun Java System Application Server: 8.2 Enterprise, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, HP HP-UX: B.11.31, Oracle WebLogic Server: 8.1 SP6, Oracle WebLogic Server: 7.0 SP7, HP Systems Insight Manager: 5.0 SP4, HP Systems Insight Manager: 5.0 SP5, RedHat RHEL Supplementary: 5 Server, MandrakeSoft Mandrake Linux: 2008.0, RedHat RHEL Desktop Supplementary: 5 Client, RedHat Enterprise Linux: 5 Client, FreeBSD FreeBSD: 6.3, Microsoft Internet Information Services: 7.0, Sun Java System Web Proxy Server: 4.0, Apache HTTP Server: 1.3.4, Apache HTTP Server: 2.2.6, Apache HTTP Server: 2.2.5, Apache HTTP Server: 1.3.0, Apache HTTP Server: 1.3.2, Apache HTTP Server: 1.3.3, Apache HTTP Server: 1.3.39, Apache HTTP Server: 1.3.35, Apache HTTP Server: 1.3.34, Apache HTTP Server: 1.3.36, Apache HTTP Server: 1.3.22, Apache HTTP Server: 1.3.31, Apache HTTP Server: 1.3.24, Apache HTTP Server: 1.3.32, Turbolinux Turbolinux: 11 Server, Turbolinux Turbolinux: 11 Server x64 Ed, Apache HTTP Server: 2.0.46, Apache HTTP Server: 2.0.55, Apache HTTP Server: 2.2.3, Apache HTTP Server: 2.2.0, Apache HTTP Server: 2.2.2, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: x64, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, Microsoft Windows Vista, Turbolinux Turbolinux: FUJI, IBM DB2 Universal Database: 9.1, Cisco Wireless Control System, Turbolinux Turbolinux Appliance Server: 2.0, Turbolinux Turbolinux: 10 Server x64 Ed, IBM WebSphere Application Server: 6.1, Apache HTTP Server: 1.3.37, Novell Linux POS: 9, IBM OS 400: 5.3.5, RedHat RHEL Extras: 3, HP Systems Insight Manager: 4.2 SP1, HP Systems Insight Manager: 4.2 SP2, HP Systems Insight Manager: 5.0 SP1, HP Systems Insight Manager: 5.0 SP2, Oracle WebLogic Server: 9.0, HP Systems Insight Manager: 5.0 SP3, Avaya Modular Messaging: 2.0, Apache HTTP Server: 2.0.40, RedHat RHEL Extras: 4, Oracle WebLogic Server: 9.1, Canonical Ubuntu: 6.06 LTS, Novell SLE SDK: 10, IBM OS 400: 5.3, Sun Java System Web Server: 6.1, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, Novell SUSE Linux Enterprise Server: 10, MandrakeSoft Mandrake Linux Corporate Server: 4.0, HP Systems Insight Manager: 4.1 SP1, HP Systems Insight Manager: 4.0 SP1, Apache HTTP Server: 2.0.51, IBM OS 400, Microsoft Windows XP: SP2, SuSE SuSE SLES: 9, RedHat Enterprise Linux: 3 Desktop, HP HP-UX: B.11.23, Turbolinux Turbolinux: 10 Server, Avaya Message Application Server, MandrakeSoft Mandrake Linux Corporate Server: 3.0, Apache HTTP Server: 1.3.33, IBM WebSphere Application Server: 6.0, Ingate Ingate Firewall: 4.1.3, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, MandrakeSoft Mandrake Multi Network Firewall: 2.0, OpenSSL OpenSSL: 0.9.8a, Avaya Message Networking, Ingate Ingate Firewall: 4.2.0, IBM OS 400: 5.1, Ingate Ingate SIParator: 4.2.0, RedHat Enterprise Linux: 4 WS, RedHat Enterprise Linux: 4 ES, Apache HTTP Server: 2.0.52, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 AS, Sun Solaris: 10, Novell Linux Desktop: 9, Microsoft Windows 2000: SP4, SUSE SuSE Linux: 9.0, OpenSSL OpenSSL: 0.9.6k, HP HP-UX: B.11.11, RedHat Enterprise Linux: 3 AS, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, IBM HTTP Server: 2.0.47, Apache HTTP Server: 2.0.49, Apache HTTP Server: 2.0.48, Apache HTTP Server: 1.3.29, OpenSSL OpenSSL: 0.9.6a, OpenSSL OpenSSL: 0.9.7c, OpenSSL OpenSSL: 0.9.7b, Sun Solaris: 9 x86, Sun Solaris: 8 SPARC, Gentoo Linux, Apache HTTP Server: 1.3.26, Apache HTTP Server: 1.3.6, Apache HTTP Server: 1.3.9, Apache HTTP Server: 1.3.12, Apache HTTP Server: 1.3.20, Apache HTTP Server: 1.3.23, Apache HTTP Server: 1.3.17, Apache HTTP Server: 1.3.14, Apache HTTP Server: 2.0.39, Apache HTTP Server: 2.0.38, Apache HTTP Server: 1.3.11, Apache HTTP Server: 2.0.42, OpenSSL OpenSSL: 0.9.7a, OpenSSL OpenSSL: 0.9.6i, OpenSSL OpenSSL: 0.9.7, Apache HTTP Server: 1.3.27, Apache HTTP Server: 2.0.47, Apache HTTP Server: 1.3.28, Apache HTTP Server: 1.2, Apache HTTP Server: 1.0, Apache HTTP Server: 1.2.5, Apache HTTP Server: 1.3.19, Apache HTTP Server: 2.0.28 Beta, Apache HTTP Server: 2.0, OpenSSL OpenSSL, Apache HTTP Server: 1.3, Sun Solaris: 8 x86

Type

Suspicious Activity

Vulnerability description

Multiple implementations of the Transport Layer Security (TLS) protocol, including SSL, could provide weaker than expected security, caused by TLS handshake renegotiation. A remote attacker could exploit this vulnerability via man-in-the-middle techniques to inject data into the beginning of the application protocol stream to execute HTTP transactions, bypass authentication and possibly launch further attacks against the victim.IBM3

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

TLS Mailing List Wed, 4 Nov 2009
MITM attack on delayed TLS-client auth through renegotiation
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html

The Apache Software Foundation Web site
Apache HTTP Server
http://httpd.apache.org/

Microsoft IIS Web site
The Official Microsoft IIS Site
http://www.iis.net/

OpenSSL CVS Repository
Check-in Number: 18790
http://cvs.openssl.org/chngview?cn=18790

IBM Internet Security Systems Protection Alert
Transport Layer Security (TLS) handshake renegotiation weak security
http://www.iss.net/threats/352.html

CTX123359
Transport Layer Security Renegotiation Vulnerability
http://support.citrix.com/article/CTX123359

cisco-sa-20091109-tls
Transport Layer Security Renegotiation Vulnerability
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml

MatrixSSL Web Site
MatrixSSL 1.8.8
http://www.matrixssl.org/archives/cat_releases.html

security advisory 20091112-01
An OpenSource VooDoo cIRCle
http://voodoo-circle.sourceforge.net/sa/sa-20091112-01.html

gmane.network.openvpn.devel
OpenVPN 2.1_rc21 released
http://article.gmane.org/gmane.network.openvpn.devel/2835

Ingate Web Site
Release notice for Ingate Firewall® 4.8.1 and Ingate SIParator® 4.8.1
http://www.ingate.com/Relnote.php?ver=481

HP Security Bulletin HPSBUX02482 SSRT090249 rev.1
HP-UX Running OpenSSL, Remote Unauthorized Data Injection, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686

FreeBSD-SA-09:15.ssl
SSL protocol flaw
http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc

Sun Alert ID: 273350
Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Network Security Services (NSS)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273350-1

IBM APAR PK96157
SHIP APAR FIXES FOR H28W601 FIX PACK 6.0.2.39. 09/09/14 PTF PECHANGE
http://www-01.ibm.com/support/docview.wss?uid=swg1PK96157

IBM Support and Downloads Web Site
IBM HTTP Server interim fix for PM00675
http://www-01.ibm.com/support/docview.wss?uid=swg24025312

ProFTPD Web site
1.3.2 Release Notes
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c

SOL10737
SSL/TLS Authentication Gap – Status of Patches
https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html

ProFTP Web Site
1.3.2 Release Notes
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c

IBM APAR IZ65239
Transport Layer Security (TLS) handshake renegotiation weak security CVE-2009-3555
http://www-01.ibm.com/support/docview.wss?uid=swg21415080

The Apache Tomcat Native - Miscellaneous Documentation
Changes between 1.1.17 and 1.1.18
http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html

HP Security Bulletin HPSBUX02498 SSRT090264 rev.1
HP-UX Running Apache, Remote Unauthorized Data Injection, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01963123

Offensive Security Exploit Database [12-21-2009]
TLS Renegotiation Vulnerability PoC Exploit
http://www.exploit-db.com/exploits/10579

Sun Alert ID: 274990
Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java Enterprise System Suite
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1

IBM Support and Downloads
Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)?
http://www-01.ibm.com/support/docview.wss?uid=swg21410851

IBM Support and Downloads
Critical updates for IBM WebSphere DataPower SOA appliances
http://www-01.ibm.com/support/docview.wss?uid=swg21390112

IBM Support and Downloads
TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION VULNERABILITY
http://www-01.ibm.com/support/docview.wss?uid=nas258cbfcf0a5645af7862576710041f65e

IBM Support and Downloads
DATAPOWER CHANGE TO PREVENT SSL TLS MAN-IN-THE-MIDDLE ATTACK
http://www-01.ibm.com/support/docview.wss?uid=swg1IC64790

Apple Web site
About Security Update 2010-001
http://support.apple.com/kb/HT4004

IBM Support and Downloads
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR10
http://www-01.ibm.com/support/docview.wss?uid=swg24025719

IBM Support and Downloads
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11
http://www-01.ibm.com/support/docview.wss?uid=swg24025718

IBM Security alerts
developerWorks : Java; technology : IBM developer kits : Additional documentation
http://www.ibm.com/developerworks/java/jdk/alerts/

Bugzilla@Mozilla Bug 526689
(CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=526689

Mozilla Web site
NSS 3.12.5 release notes
https://developer.mozilla.org/NSS_3.12.5_release_notes

IBM Support & downloads
Transport Layer Security (TLS) handshake renegotiation weak security (CVE-2009-3555) in relation to WebSphere Application Server products
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21413714&loc=en_US&cs=utf-8&lang=en

Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
http://www.microsoft.com/technet/security/advisory/977377.mspx

Aruba Networks Security Advisory
TLS Protocol Session Renegotiation Security Vulnerability
http://www.arubanetworks.com/support/alerts/aid-020810.txt

Bugzilla@Mozilla Bug 526689
(CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=526689

Opera changelog
Opera 10.50 beta (with Opera Widgets for Desktop) for Windows changelog
http://www.opera.com/docs/changelogs/windows/1050b1/

Bluecoat Security Advisories ID: SA44
TLS/SSLv3 renegotiation (CVE-2009-3555)
https://kb.bluecoat.com/index?page=content&id=SA44

MFSA 2010-22
Update NSS to support TLS renegotiation indication
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html

Oracle Critical Patch Update Advisory - March 2010
Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010
http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html

IBM Support and Downloads
Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 9
http://www-01.ibm.com/support/docview.wss?uid=swg21426108

IBM APAR IC65922
SECURITY: BUFFER OVERRUN IN REPEAT UDF.
http://www-01.ibm.com/support/docview.wss?uid=swg1IC65922

IBM APAR IC67848
SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATIONWEAK SECURITY CVE-2009-3555
http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848

IBM APAR PM12247
SHIP APAR FIXES FOR H28W610 FIX PACK 6.1.0.31.
http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247

ASA-2010-119
nss security update (RHSA-2010-0165)
https://support.avaya.com/css/P8/documents/100081611

IBM APAR PM10658
IBM HTTP SERVER 2.0.47 CUMULATIVE INTERIM FIX
http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658

HP Security Bulletin HPSBMA02534 SSRT090180
HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Information Disclosure, Unauthorized Data Modification, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02171256

IBM Support and Downloads
Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.7 Fix Pack 2
http://www-01.ibm.com/support/docview.wss?uid=swg21432298

OpenOffice Web Site
OpenOffice.org 2 and 3 may be affected by the TLS/SSL Renegotiation Issue in 3rd Party Libraries
http://www.openoffice.org/security/cves/CVE-2009-3555.html

HP Security Bulletin HPSBMA02547 SSRT100180
HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Execution of Arbitrary Code and Other Vulnerabilities
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c02273751

Oracle Critical Patch Update Advisory - July 2010
Oracle Critical Patch Update Advisory - July 2010
http://www.oracle.com/technetwork/topics/security/cpujul2010-155308.html

cisco-sa-20091109-tls
Transport Layer Security Renegotiation Vulnerability
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml

HP Security Bulletin HPSBGN02562 SSRT090249
HP ProCurve Threat Management Services (TMS) zl Module J9155A and J9156A running TLS/SSL, Remote Unauthorized Data Injection, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041

Microsoft Security Bulletin MS10-049
Vulnerabilities in SChannel could allow Remote Code Execution (980436)
http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx

HP Security Bulletin HPSBMA02568 SSRT100219
HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02512995

VMSA-2010-0015
VMware ESX third party updates for Service Console
http://lists.vmware.com/pipermail/security-announce/2010/000106.html

Oracle Critical Patch Update Advisory - October 2010
Oracle Critical Patch Update Advisory - October 2010
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

Microsoft Security Bulletin MS10-085
Vulnerabilities in SChannel Could Allow Denial of Service (2207566)
http://www.microsoft.com/technet/security/bulletin/ms10-085.mspx

Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010
Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

VMSA-2010-0019
VMware ESX third party updates for Service Console
http://lists.vmware.com/pipermail/security-announce/2010/000113.html

SA50
Multiple SSL/TLS vulnerabilities in Reporter
https://kb.bluecoat.com/index?page=content&id=SA50

Innominate mGuard
Version 7.2.1 - Release Notes
http://www.innominate.com/data/downloads/manuals/releasenotes_mguard_721_en.pdf

Innominate mGuard
Version 6.1.5 - Release Notes
http://www.innominate.com/data/downloads/manuals/releasenotes_mguard_615_en.pdf

Innominate mGuard
Version 5.1.6 - Release Notes
http://www.innominate.com/data/downloads/manuals/releasenotes_mguard_516_en.pdf

Oracle Critical Patch Update Advisory - April 2011
Oracle Critical Patch Update Advisory - April 2011
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

Sun Security Blog, 29 Apr 2011
Multiple Vulnerabilities in the Apache 2 HTTP Server Prior to 2.2.16
http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_the_apache

Bluecoat Web site
Security Advisories
https://kb.bluecoat.com/index?page=content&id=SA61

HPSBHF02706 SSRT100613 rev.1
HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS, Denial of Service (DoS), Unauthorized Modification
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03024266

Microsoft Security Bulletin MS12-006
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
http://technet.microsoft.com/en-us/security/bulletin/ms12-006

HP Security Bulletin HPSBMU02759 SSRT100817
HP Onboard Administrator (OA), Remote Unauthorized Access, Unauthorized Information Disclosure, Denial of Service (DoS), URL Redirection
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03263573

HP Security Bulletin HPSBMU02769 SSRT100846
HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Unauthorized Access, Execution of Arbitrary Code, and Other Vulnerabilities
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151

Microsoft Security Bulletin MS12-049
Vulnerability in TLS Could Allow Information Disclosure (2655992)
http://technet.microsoft.com/en-us/security/bulletin/ms12-049

Microsoft Security Bulletin MS14-066
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
http://technet.microsoft.com/en-us/security/bulletin/MS14-066

Microsoft Security Bulletin MS14-066
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
http://technet.microsoft.com/en-us/security/bulletin/MS14-066

ISS X-Force
Transport Layer Security (TLS) handshake renegotiation weak security
http://www.iss.net/security_center/static/54158.php

CVE
CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555