Transport Layer Security (TLS) handshake renegotiation weak security (TLS_Server_Cipher_Renegotiation)

About this signature or vulnerability

Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection, Proventia Server IPS for Linux technology, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS:

TThis signature detects SSL/TLS session where a TLS server requests a cipher renegotiation after encrypted application data has been transmitted. This behavior is not common under most normal circumstances and may indicate that a man-in-the-middle attack is taking place.


False positives

Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection, Proventia Server IPS for Linux technology, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS: Each session contains valid traffic and legitimate traffic may cause this event to trigger a false positive under certain circumstances. Each session contains valid traffic and legitimate traffic may cause this event to trigger a false-positive under certain circumstances.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Virtual Server Protection for Vmware: 1.0, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Network Protection: 5.1, Proventia Server IPS for Linux technology: 29.110, Proventia Network MFS: XPU 29.110, IBM Security Host Protection for Servers (Windows): 2.1.14.2450, IBM Security Host Protection for Servers (Windows): 1.0.914.2450, IBM Security Host Protection for Servers (Windows): 2.0.300.2450, RealSecure Server Sensor: XPU 29.110, Proventia-G 1.1 and earlier: XPU 29.110, Proventia Network IDS: XPU 29.110, IBM Security Host Protection for Desktops: 2450, Proventia Network IPS: XPU 29.110

Systems affected

Microsoft Internet Information Services: 7.5, RedHat Enterprise Linux: 5.4.z EUS, Blue Coat Systems Security Gateway OS (SGOS): 4.0, Blue Coat Systems Security Gateway OS (SGOS): 5.1, Blue Coat Systems Security Gateway OS (SGOS): 5.2, Blue Coat Systems Security Gateway OS (SGOS): 5.3, Blue Coat Systems Security Gateway OS (SGOS): 5.4, Aruba Networks ArubaOS: 3.3.2.X, Aruba Networks ArubaOS: 3.4.X, Microsoft Windows Server 2008: SP2 Itanium, Apple Mac OS X Server: 10.6.2, PeerSec MatrixSSL: 1.8.7, VooDoo cIRCle: 1.1.38.7, Apple Mac OS X: 10.6.2, OpenOffice OpenOffice.org: 3.2, Mozilla SeaMonkey: 2.0.2, Mozilla Thunderbird: 3.0.1, HP System Management Homepage: 3.0.0-64, HP System Management Homepage: 3.0.2-77, Zeus Zeus Web Server: 4.3 r4, IBM WebSphere DataPower, Oracle WebLogic Server: 10.3.2, IBM Java SDK: 6.1, Sun GlassFish Enterprise Server: 2.1.1, IBM WebSphere DataPower SOA Appliances: 3.6.1, IBM WebSphere DataPower SOA Appliances: 3.7.1, IBM WebSphere DataPower SOA Appliances: 3.7.2, IBM WebSphere DataPower SOA Appliances: 3.7.3, IBM WebSphere DataPower SOA Appliances: 3.8, Sun Java System Application Server: 8.0 Enterprise, IBM Java SDK: 5.0, IBM Java SDK: 6.0, Sun OpenSolaris: 2009.06, IBM Java: 1.4, IBM Java: 5.0, Sun JDK: 6 Update18, Sun JRE: 6 Update18, Sun JDK: 5.0 Update23, Sun SDK: 1.4.2_25, HP System Management Homepage: 6.0.0.95, HP System Management Homepage: 6.0.0.96, Mozilla Firefox: 3.6, Cisco Digital Media Manager (DMM): 5.0, RedHat RHEL Supplementary: 5.4.z EUS, HP Systems Insight Manager: 5.3, HP Systems Insight Manager: 5.3 Update 1, RedHat Red Hat Enterprise Linux: 4.8.z Extras, RedHat Red Hat Enterprise Linux: 4.7.z Extras, HP Systems Insight Manager: 6.0, Oracle WebLogic Server: 10.0 MP2, Oracle WebLogic Server: 10.3.3, Mandriva Enterprise Server: 5, Mandriva Enterprise Server: 5 X86_64, Mandriva Linux: 2010, Mandriva Linux: 2010 X86_64, BlueCoat Reporter: 9.2.3.1, BlueCoat Reporter: 8.3.7.1, BlueCoat Reporter: 9.1.5.1, Turbolinux Appliance Server: 3.0 x64, Turbolinux Appliance Server: 3.0, Turbolinux Client: 2008, Oracle Java for Business JRE: 6 Update 21, Oracle Java for Business JDK: 5 Update 25, Oracle Java for Business SDK: 1.4.2_27, Oracle Java for Business JRE: 1.4.2_27, Oracle Java SE JRE: 6 Update 21, Oracle Java SE JDK: 5 Update 25, Oracle Java SE SDK: 1.4.2_27, Oracle Java SE JDK: 6 Update 21, Oracle Java for Business JDK: 6 Update 21, Oracle Transportation Management: 5.5.06.03, Oracle Transportation Management: 6.0.6, Oracle Transportation Management: 6.1.2, HP Systems Insight Manager: 6.1, HP System Management Homepage: 6.0, HP System Management Homepage: 6.1, Blue Coat Systems Director: 5.x, Innominate Security Technologies mGuard: 5.x, Innominate Security Technologies mGuard: 6.x, Innominate Security Technologies mGuard: 7, RedHat Enterprise Linux: 6 Server, RedHat Enterprise Linux: 6 Workstation, Microsoft IIS: 7.0, HP Onboard Administrator: 3.21, HP Onboard Administrator: 3.31, HP Integrated Lights-Out 2 Firmware: 2.05, HP Integrated Lights-Out 3 Firmware: 1.16, HP System Management Homepage: 3.0, HP System Management Homepage: 2.1.15-210, HP System Management Homepage: 3.0.0-68, FreeBSD FreeBSD: 7.2 pre-Release, GNU GnuTLS: 2.6.1, GNU GnuTLS: 2.6.2, GNU GnuTLS: 2.6.3, GNU GnuTLS: 2.6.4, GNU GnuTLS: 2.6.5, IBM DB2 Universal Database: 9.1 FP6, VMware ESX: 3.5, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows XP: SP3, Ingate Ingate Firewall: 4.7, Ingate Ingate SIParator: 4.7, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows Server 2008: Itanium, IBM DB2 Universal Database: 9.1 FP7, Apache HTTP Server: 2.2.12, Microsoft Windows Server 2008: R2 Itanium, RedHat Enterprise Linux: 4.8.z ES, RedHat Enterprise Linux: 4.8.z AS, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, GNU GnuTLS: 2.8.0, Mozilla Nss: 3.4, Mozilla Nss: 3.11.7, Mozilla Nss: 3.12, Mozilla Nss: 3.6, Mozilla Nss: 3.11.2, Mozilla Nss: 3.11.8, Mozilla Nss: 3.11.4, Mozilla Nss: 3.0, Mozilla Nss: 3.12.2, Mozilla Nss: 3.12.1, Mozilla Nss: 3.5, Mozilla Nss: 3.4.2, Mozilla Nss: 3.4.3, Mozilla Nss: 3.4.1, Mozilla Nss: 3.6.1, Mozilla Nss: 3.10, Mozilla Nss: 3.9.5, Mozilla Nss: 3.9, Mozilla Nss: 3.7.7, Mozilla Nss: 3.7.5, Mozilla Nss: 3.7, Mozilla Nss: 3.7.1, Mozilla Nss: 3.7.2, Mozilla Nss: 3.7.3, Mozilla Nss: 3.8, Mozilla Nss: 3.3.2, Mozilla Nss: 3.3.1, Mozilla Nss: 3.3, Mozilla Nss: 3.2.1, Mozilla Nss: 3.2, GNU GnuTLS: 1.7.8, GNU GnuTLS: 1.7.9, GNU GnuTLS: 1.7.4, GNU GnuTLS: 1.7.5, GNU GnuTLS: 1.7.10, GNU GnuTLS: 2.3.10, GNU GnuTLS: 1.7.11, GNU GnuTLS: 2.1.4, GNU GnuTLS: 1.7.2, GNU GnuTLS: 1.7.3, GNU GnuTLS: 2.3.1, GNU GnuTLS: 1.7.0, GNU GnuTLS: 2.3.0, GNU GnuTLS: 1.7.1, GNU GnuTLS: 2.1.8, GNU GnuTLS: 1.7.6, GNU GnuTLS: 1.7.7, GNU GnuTLS: 2.0.1, GNU GnuTLS: 1.5.4, GNU GnuTLS: 2.1.2, GNU GnuTLS: 1.5.3, GNU GnuTLS: 2.1.3, GNU GnuTLS: 1.5.2, GNU GnuTLS: 2.1.0, GNU GnuTLS: 1.5.1, GNU GnuTLS: 2.1.1, GNU GnuTLS: 1.6.1, GNU GnuTLS: 2.1.7, GNU GnuTLS: 1.6.2, GNU GnuTLS: 2.1.6, GNU GnuTLS: 1.5.5, GNU GnuTLS: 2.1.5, GNU GnuTLS: 1.6.0, GNU GnuTLS: 2.5.0, GNU GnuTLS: 2.3.11, GNU GnuTLS: 2.3.2, GNU GnuTLS: 2.3.4, GNU GnuTLS: 2.3.3, GNU GnuTLS: 1.2.8.1a1, GNU GnuTLS: 2.6.6, GNU GnuTLS: 2.8.1, IBM DB2: 9.7, GNU GnuTLS: 1.7.14, GNU GnuTLS: 1.7.15, GNU GnuTLS: 1.7.12, GNU GnuTLS: 1.7.13, GNU GnuTLS: 1.7.18, GNU GnuTLS: 1.7.19, GNU GnuTLS: 2.2.5, GNU GnuTLS: 1.7.16, GNU GnuTLS: 2.2.4, GNU GnuTLS: 1.7.17, GNU GnuTLS: 1.5.0, GNU GnuTLS: 2.0.2, GNU GnuTLS: 1.4.4, GNU GnuTLS: 2.0.3, GNU GnuTLS: 1.4.3, GNU GnuTLS: 2.0.0, GNU GnuTLS: 1.4.2, Apache HTTP Server: 2.2.13, IBM HTTP Server: 7.0, Apple Mac OS X: 10.5.8, Apple Mac OS X Server: 10.5.8, Opera Opera Browser: 9.0, Citrix Secure Gateway: 3.1, OpenSSL OpenSSL: 0.9.7M, OpenSSL OpenSSL: 0.9.7A-2 I386 Dev, OpenSSL OpenSSL: 0.9.7A-2 I386, OpenSSL OpenSSL: 0.9.6-15 I386, OpenSSL OpenSSL: 0.9.7A-2 I386 Perl, OpenSSL OpenSSL: 0.9.6B-3 I386, OpenSSL OpenSSL: 1.0 Openvms, Mandriva Linux: 2009.1 X86_64, Mandriva Linux: 2009.1, Mozilla Firefox: 3.5, HP ProCurve Threat Mgmt Services zl Module (J9155A): ST.1.0.090213, Apache HTTP Server: 2.2.7, Apache HTTP Server: 2.0.58 Win32, Apache HTTP Server: 2.1.9, FreeBSD FreeBSD: 8.0, Apache HTTP Server: 1.3.7 Dev, Apache HTTP Server: 1.3.65, Apache HTTP Server: 1.99, Apache HTTP Server: 1.3.68, Apache HTTP Server: 1.2.4, Apache HTTP Server: 1.3.1.1, Apache HTTP Server: 1.2.6, Apache HTTP Server: 1.4.0, Apache HTTP Server: 2.0.46 Win32, Apache HTTP Server: 2.2.11, Apache HTTP Server: 2.2.10, Microsoft Windows 7: x64, Sun Solaris: 9 SPARC, Sun Java System Web Proxy Server: 4.0 SP1, OpenSSL OpenSSL: 0.9.8h, OpenVPN OpenVPN: 2.1 rc8, OpenVPN OpenVPN: 2.1 beta14, Apache HTTP Server: 2.2.9, GNU GnuTLS: 2.3.5, GNU GnuTLS: 2.3.6, GNU GnuTLS: 2.3.7, GNU GnuTLS: 2.3.8, GNU GnuTLS: 2.3.9, GNU GnuTLS: 2.4.0, FreeBSD FreeBSD: 6.4, HP System Management Homepage: 2.1.10, Ingate Ingate SIParator: 4.6.2, Ingate Ingate Firewall: 4.6.2, Sun OpenSolaris: build_snv_86 x86, HP System Management Homepage: 2.2.6, HP System Management Homepage: 2.2.8, GNU GnuTLS: 2.6.0, FreeBSD FreeBSD: 7.1, HP System Management Homepage: 2.1.12, HP Systems Insight Manager: 5.2, IBM DB2 Universal Database: 9.1 FP5, Canonical Ubuntu: 8.10, Sun Java System Web Proxy Server: 4.0.7, Mandriva Linux: 2009.0 X86_64, Mandriva Linux: 2009.0, Sun OpenSolaris: build_snv_86 SPARC, ProFTPD ProFTPD: 1.3.2, Cisco ACE 4710, GNU GnuTLS: 2.4.1, GNU GnuTLS: 2.4.2, HP System Management Homepage: 2.1.0-103, HP System Management Homepage: 2.1.0-103(A), HP System Management Homepage: 2.1.0-109, HP System Management Homepage: 2.1.0-118, HP System Management Homepage: 2.1.10-186, HP System Management Homepage: 2.1.11-197, HP System Management Homepage: 2.1.12-118, HP System Management Homepage: 2.1.12-200, HP System Management Homepage: 2.1.2-127, HP System Management Homepage: 2.1.4-143, HP System Management Homepage: 2.1.5-146, HP System Management Homepage: 2.1.6-156, HP System Management Homepage: 2.1.7-168, HP System Management Homepage: 2.1.8-177, HP System Management Homepage: 2.1.9-178, Debian Debian Linux: 5.0, RedHat RHEL Supplementary: 5.3.z EUS, JBoss Enterprise Web Server, RedHat Enterprise Linux Desktop Supplementary : 6, RedHat Enterprise Linux HPC Node : 6, RedHat Enterprise Linux HPC Node Supplementary : 6, RedHat Enterprise Linux for SAP, RedHat Enterprise Linux Server EUS: 6.0.z, RedHat Enterprise Linux Server Supplementary : 6, RedHat Enterprise Linux Workstation Supplementary : 6, RedHat Enterprise Linux Desktop : 6, HP Onboard Administrator: 3.32, HP Systems Insight Manager: 5.0 SP6, HP Systems Insight Manager: 6.2, HP Systems Insight Manager: 6.3, GNU GnuTLS: 1.6.3, GNU GnuTLS: 2.0.4, GNU GnuTLS: 2.2.0, GNU GnuTLS: 2.2.1, GNU GnuTLS: 2.2.2, GNU GnuTLS: 2.2.3, GNU GnuTLS: 1.1.13, GNU GnuTLS: 1.4.5, Canonical Ubuntu: 8.04 LTS, Aruba Networks Mobility Controller: 2.4.8.0-FIPS, OpenSSL OpenSSL: 0.9.8g, OpenSSL OpenSSL: 0.9.8f, IBM DB2 Universal Database: 9.1 FP1, RedHat RHEL Supplementary: 5.2.z EUS, Novell OpenSUSE: 11.0, Apache HTTP Server: 2.0.63, Apache HTTP Server: 2.2.8, Novell SUSE Linux Enterprise Desktop: 10 SP2, Novell SUSE Linux Enterprise: 10 SP2 DEBUGINFO, Novell SLE SDK: 10 SP2, HP System Management Homepage: 2.1.11, Novell SUSE Linux Enterprise Server: 10 SP2, Oracle WebLogic Server: 9.2 MP3, IBM OS 400: 5.2, OpenSSL OpenSSL: 0.9.8c, OpenSSL OpenSSL: 0.9.8d, OpenSSL OpenSSL: 0.9.8e, OpenSSL OpenSSL: 0.9.8b, OpenSSL OpenSSL: 0.9.8, OpenSSL OpenSSL: 0.9.7k, OpenSSL OpenSSL: 0.9.7l, OpenSSL OpenSSL: 0.9.7j, OpenSSL OpenSSL: 0.9.7i, OpenSSL OpenSSL: 0.9.7h, OpenSSL OpenSSL: 0.9.7g, OpenSSL OpenSSL: 0.9.7f, OpenSSL OpenSSL: 0.9.7e, OpenSSL OpenSSL: 0.9.7d, OpenSSL OpenSSL: 0.9.7 Beta6, OpenSSL OpenSSL: 0.9.7 Beta5, OpenSSL OpenSSL: 0.9.7 Beta4, OpenSSL OpenSSL: 0.9.7 Beta3, Novell Open Enterprise Server, OpenSSL OpenSSL: 0.9.1c, OpenSSL OpenSSL: 0.9.2b, OpenSSL OpenSSL: 0.9.3, OpenSSL OpenSSL: 0.9.3a, OpenSSL OpenSSL: 0.9.4, OpenSSL OpenSSL: 0.9.5, OpenSSL OpenSSL: 0.9.5 Beta1, OpenSSL OpenSSL: 0.9.5 Beta2, OpenSSL OpenSSL: 0.9.5a, OpenSSL OpenSSL: 0.9.5a Beta1, OpenSSL OpenSSL: 0.9.5a Beta2, OpenSSL OpenSSL: 0.9.6, OpenSSL OpenSSL: 0.9.6 Beta2, OpenSSL OpenSSL: 0.9.6 Beta1, OpenSSL OpenSSL: 0.9.6a Beta3, OpenSSL OpenSSL: 0.9.6a Beta2, OpenSSL OpenSSL: 0.9.6a Beta1, OpenSSL OpenSSL: 0.9.6 Beta3, OpenSSL OpenSSL: 0.9.7 Beta2, OpenSSL OpenSSL: 0.9.7 Beta1, OpenSSL OpenSSL: 0.9.6c, OpenSSL OpenSSL: 0.9.6b, OpenSSL OpenSSL: 0.9.6d, OpenSSL OpenSSL: 0.9.6e, OpenSSL OpenSSL: 0.9.6f, OpenSSL OpenSSL: 0.9.6g, OpenSSL OpenSSL: 0.9.6h, OpenSSL OpenSSL: 0.9.6j, OpenSSL OpenSSL: 0.9.6l, OpenSSL OpenSSL: 0.9.6m, OpenSSL OpenSSL: 0.9.6-15, OpenSSL OpenSSL: 0.9.6B-3, OpenSSL OpenSSL: 0.9.7A-2, Sun Java System Web Proxy Server: 4.0.4, Sun Java System Web Proxy Server: 4.0.5, Sun Java System Web Proxy Server: 4.0.6, Sun Java System Web Proxy Server: 4.0.3, Sun Java System Web Proxy Server: 4.0.2, IBM HTTP Server: 6.1, IBM HTTP Server: 6.0, HP System Management Homepage: 2.1.5, HP Systems Insight Manager: 4.2, HP System Management Homepage: 2.1.2, HP System Management Homepage: 2.1.4, HP Systems Insight Manager: 4.1, HP Systems Insight Manager: 5.0, HP System Management Homepage: 2.0.0, HP System Management Homepage: 2.0.1, HP System Management Homepage: 2.0.2, GNU GnuTLS: 1.4.1, HP System Management Homepage: 2.1, HP System Management Homepage: 2.1.1, HP System Management Homepage: 2.1.3, HP System Management Homepage: 2.1.3.132, HP System Management Homepage: 2.1.6, HP System Management Homepage: 2.1.7, HP System Management Homepage: 2.1.8, HP System Management Homepage: 2.1.9, HP Systems Insight Manager, HP Systems Insight Manager: 4.0, GNU GnuTLS: 1.3.3, GNU GnuTLS: 1.3.4, GNU GnuTLS: 1.3.5, GNU GnuTLS: 1.4.0, GNU GnuTLS: 1.2.5, GNU GnuTLS: 1.2.6, GNU GnuTLS: 1.2.7, GNU GnuTLS: 1.2.8, GNU GnuTLS: 1.2.9, GNU GnuTLS: 1.3.0, GNU GnuTLS: 1.3.1, GNU GnuTLS: 1.3.2, GNU GnuTLS: 1.1.15, GNU GnuTLS: 1.1.16, GNU GnuTLS: 1.1.17, GNU GnuTLS: 1.1.18, GNU GnuTLS: 1.1.19, GNU GnuTLS: 1.1.20, GNU GnuTLS: 1.1.21, GNU GnuTLS: 1.1.22, GNU GnuTLS: 1.1.23, GNU GnuTLS: 1.2.0, GNU GnuTLS: 1.2.1, GNU GnuTLS: 1.2.10, GNU GnuTLS: 1.2.11, GNU GnuTLS: 1.2.2, GNU GnuTLS: 1.2.3, GNU GnuTLS: 1.2.4, Apache HTTP Server: 1.0.2, Apache HTTP Server: 0.8.14, Apache HTTP Server: 0.8.11, Apache HTTP Server: 2.0.54, Apache HTTP Server: 2.0.56, Apache HTTP Server: 2.0.57, Apache HTTP Server: 2.0.50, Apache HTTP Server: 2.0.53, Apache HTTP Server: 2.0.43, Apache HTTP Server: 2.0.44, Apache HTTP Server: 2.0.45, Apache HTTP Server: 2.0.32 Beta, Apache HTTP Server: 2.0.34 Beta, Apache HTTP Server: 1.3.7, Apache HTTP Server: 1.3.8, Apache HTTP Server: 1.3.38, Apache HTTP Server: 1.3.5, Apache HTTP Server: 1.3.30, Apache HTTP Server: 1.0.5, Apache HTTP Server: 1.0.3, Apache HTTP Server: 1.1.1, Apache HTTP Server: 1.3.13, Apache HTTP Server: 1.3.15, Apache HTTP Server: 1.3.16, Apache HTTP Server: 2.0.9, Apache HTTP Server: 2.1.1, Apache HTTP Server: 2.1.2, Apache HTTP Server: 2.0.60, Apache HTTP Server: 2.0.61, Apache HTTP Server: 2.0.58, Apache HTTP Server: 2.1.3, Apache HTTP Server: 2.1.4, Apache HTTP Server: 2.1.5, Apache HTTP Server: 2.1.6, Apache HTTP Server: 2.1.7, Apache HTTP Server: 2.1.8, Apache HTTP Server: 2.2, Apache HTTP Server: 2.2.1, Avaya Communication Manager, Citrix Secure Gateway: 3.0, GNU GnuTLS: 1.0.16, GNU GnuTLS: 1.0.17, GNU GnuTLS: 1.0.18, GNU GnuTLS: 1.0.19, GNU GnuTLS: 1.0.20, GNU GnuTLS: 1.0.21, GNU GnuTLS: 1.0.22, GNU GnuTLS: 1.0.23, GNU GnuTLS: 1.0.24, GNU GnuTLS: 1.0.25, GNU GnuTLS: 1.1.14, IBM DB2 Universal Database: 9.1 FP2, IBM DB2 Universal Database: 9.1 FP3, IBM DB2 Universal Database: 9.1 FP4, OpenOffice OpenOffice.org: 2.0, Apache HTTP Server: 2.0.41, Apache HTTP Server: 2.0.32, Apache HTTP Server: 2.0.28, Apache HTTP Server: 2.0.35, Apache HTTP Server: 2.0.37, Apache HTTP Server: 2.0.36, Apache HTTP Server: 1.3.25, Apache HTTP Server: 1.3.18, Ingate Ingate SIParator: 4.5.1, Ingate Ingate Firewall: 4.5.1, Sun Java System Web Server: 7.0, Sun Java System Application Server: 8.1 Enterprise, Sun Java System Application Server: 8.2 Enterprise, Debian Debian Linux: 4.0, HP HP-UX: B.11.31, Apache HTTP Server: 2.0.59, Apache HTTP Server: 2.2.4, HP Systems Insight Manager: 5.0 SP5, Oracle WebLogic Server: 7.0 SP7, HP Systems Insight Manager: 5.0 SP4, Oracle WebLogic Server: 8.1 SP6, MandrakeSoft Mandrake Linux: 2008.0 X86_64, RedHat RHEL Desktop Supplementary: 5 Client, RedHat Enterprise Linux: 5 Client, MandrakeSoft Mandrake Linux: 2008.0, RedHat RHEL Supplementary: 5 Server, FreeBSD FreeBSD: 6.3, Apache HTTP Server: 1.3.4, Apache HTTP Server: 1.3.22, Apache HTTP Server: 1.3.24, Apache HTTP Server: 1.3.31, Apache HTTP Server: 1.3.35, Apache HTTP Server: 1.3.34, Apache HTTP Server: 1.3.32, Microsoft Internet Information Services: 7.0, Sun Java System Web Proxy Server: 4.0, Apache HTTP Server: 2.2.3, Apache HTTP Server: 2.0.46, Apache HTTP Server: 2.0.55, Turbolinux Turbolinux: 11 Server x64 Ed, Turbolinux Turbolinux: 11 Server, Apache HTTP Server: 2.2.0, Apache HTTP Server: 2.2.6, Apache HTTP Server: 1.3.0, Apache HTTP Server: 2.2.2, Apache HTTP Server: 2.2.5, Apache HTTP Server: 1.3.3, Apache HTTP Server: 1.3.36, Apache HTTP Server: 1.3.2, Apache HTTP Server: 1.3.39, Microsoft Windows Vista: SP1 x64, Microsoft Windows Vista: SP1, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: x64, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, Microsoft Windows Vista, Turbolinux Turbolinux: FUJI, IBM DB2 Universal Database: 9.1, Cisco Wireless Control System, Turbolinux Turbolinux Appliance Server: 2.0, Turbolinux Turbolinux: 10 Server x64 Ed, Apache HTTP Server: 1.3.37, IBM WebSphere Application Server: 6.1, Novell Linux POS: 9, IBM OS 400: 5.3.5, RedHat RHEL Extras: 3, HP Systems Insight Manager: 4.2 SP1, HP Systems Insight Manager: 4.2 SP2, HP Systems Insight Manager: 5.0 SP1, HP Systems Insight Manager: 5.0 SP2, HP Systems Insight Manager: 5.0 SP3, Avaya Modular Messaging: 2.0, Oracle WebLogic Server: 9.0, Apache HTTP Server: 2.0.40, RedHat RHEL Extras: 4, Oracle WebLogic Server: 9.1, Canonical Ubuntu: 6.06 LTS, Sun Java System Web Server: 6.1, IBM OS 400: 5.3, Novell SLE SDK: 10, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, Novell SUSE Linux Enterprise Server: 10, MandrakeSoft Mandrake Linux Corporate Server: 4.0, HP Systems Insight Manager: 4.1 SP1, HP Systems Insight Manager: 4.0 SP1, Apache HTTP Server: 2.0.51, IBM OS 400, Microsoft Windows XP: SP2, SuSE SuSE SLES: 9, HP HP-UX: B.11.23, Turbolinux Turbolinux: 10 Server, Avaya Message Application Server, MandrakeSoft Mandrake Linux Corporate Server: 3.0, Apache HTTP Server: 1.3.33, IBM WebSphere Application Server: 6.0, Ingate Ingate Firewall: 4.1.3, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, MandrakeSoft Mandrake Multi Network Firewall: 2.0, Avaya Message Networking, OpenSSL OpenSSL: 0.9.8a, Ingate Ingate Firewall: 4.2.0, Ingate Ingate SIParator: 4.2.0, IBM OS 400: 5.1, RedHat Enterprise Linux: 4 WS, RedHat Enterprise Linux: 4 ES, Apache HTTP Server: 2.0.52, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Sun Solaris: 10, Novell Linux Desktop: 9, RedHat Enterprise Linux: 3 WS, Microsoft Windows 2000: SP4, SUSE SuSE Linux: 9.0, OpenSSL OpenSSL: 0.9.6k, HP HP-UX: B.11.11, RedHat Enterprise Linux: 3 AS, RedHat Enterprise Linux: 3 ES, IBM HTTP Server: 2.0.47, Apache HTTP Server: 2.0.48, Apache HTTP Server: 2.0.49, RedHat Enterprise Linux: 3 Desktop, Apache HTTP Server: 1.3.29, OpenSSL OpenSSL: 0.9.6a, OpenSSL OpenSSL: 0.9.7c, OpenSSL OpenSSL: 0.9.7b, Sun Solaris: 9 x86, Sun Solaris: 8 SPARC, Gentoo Linux, Apache HTTP Server: 1.3.26, Apache HTTP Server: 1.3.6, Apache HTTP Server: 1.3.20, Apache HTTP Server: 1.3.23, Apache HTTP Server: 1.3.9, Apache HTTP Server: 1.3.12, Apache HTTP Server: 1.3.14, Apache HTTP Server: 1.3.17, Apache HTTP Server: 2.0.38, Apache HTTP Server: 2.0.39, Apache HTTP Server: 1.3.11, Apache HTTP Server: 2.0.42, OpenSSL OpenSSL: 0.9.7a, OpenSSL OpenSSL: 0.9.6i, OpenSSL OpenSSL: 0.9.7, Apache HTTP Server: 1.3.27, Apache HTTP Server: 2.0.47, Apache HTTP Server: 1.3.28, Apache HTTP Server: 1.2, Apache HTTP Server: 1.0, Apache HTTP Server: 1.2.5, Apache HTTP Server: 1.3.19, Apache HTTP Server: 2.0.28 Beta, Apache HTTP Server: 2.0, OpenSSL OpenSSL, Apache HTTP Server: 1.3, Sun Solaris: 8 x86

Type

Suspicious Activity

Vulnerability description

Multiple implementations of the Transport Layer Security (TLS) protocol, including SSL, could provide weaker than expected security, caused by TLS handshake renegotiation. A remote attacker could exploit this vulnerability via man-in-the-middle techniques to inject data into the beginning of the application protocol stream to execute HTTP transactions, bypass authentication and possibly launch further attacks against the victim.IBM3

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

TLS Mailing List Wed, 4 Nov 2009
MITM attack on delayed TLS-client auth through renegotiation
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html

The Apache Software Foundation Web site
Apache HTTP Server
http://httpd.apache.org/

Microsoft IIS Web site
The Official Microsoft IIS Site
http://www.iis.net/

OpenSSL CVS Repository
Check-in Number: 18790
http://cvs.openssl.org/chngview?cn=18790

IBM Internet Security Systems Protection Alert
Transport Layer Security (TLS) handshake renegotiation weak security
http://www.iss.net/threats/352.html

CTX123359
Transport Layer Security Renegotiation Vulnerability
http://support.citrix.com/article/CTX123359

cisco-sa-20091109-tls
Transport Layer Security Renegotiation Vulnerability
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml

MatrixSSL Web Site
MatrixSSL 1.8.8
http://www.matrixssl.org/archives/cat_releases.html

security advisory 20091112-01
An OpenSource VooDoo cIRCle
http://voodoo-circle.sourceforge.net/sa/sa-20091112-01.html

gmane.network.openvpn.devel
OpenVPN 2.1_rc21 released
http://article.gmane.org/gmane.network.openvpn.devel/2835

Ingate Web Site
Release notice for Ingate Firewall® 4.8.1 and Ingate SIParator® 4.8.1
http://www.ingate.com/Relnote.php?ver=481

HP Security Bulletin HPSBUX02482 SSRT090249 rev.1
HP-UX Running OpenSSL, Remote Unauthorized Data Injection, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686

FreeBSD-SA-09:15.ssl
SSL protocol flaw
http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc

Sun Alert ID: 273350
Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Network Security Services (NSS)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273350-1

IBM APAR PK96157
SHIP APAR FIXES FOR H28W601 FIX PACK 6.0.2.39. 09/09/14 PTF PECHANGE
http://www-01.ibm.com/support/docview.wss?uid=swg1PK96157

IBM Support and Downloads Web Site
IBM HTTP Server interim fix for PM00675
http://www-01.ibm.com/support/docview.wss?uid=swg24025312

ProFTPD Web site
1.3.2 Release Notes
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c

SOL10737
SSL/TLS Authentication Gap – Status of Patches
https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html

ProFTP Web Site
1.3.2 Release Notes
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c

IBM APAR IZ65239
Transport Layer Security (TLS) handshake renegotiation weak security CVE-2009-3555
http://www-01.ibm.com/support/docview.wss?uid=swg21415080

The Apache Tomcat Native - Miscellaneous Documentation
Changes between 1.1.17 and 1.1.18
http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html

HP Security Bulletin HPSBUX02498 SSRT090264 rev.1
HP-UX Running Apache, Remote Unauthorized Data Injection, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01963123

Offensive Security Exploit Database [12-21-2009]
TLS Renegotiation Vulnerability PoC Exploit
http://www.exploit-db.com/exploits/10579

Sun Alert ID: 274990
Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java Enterprise System Suite
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1

IBM Support and Downloads
Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)?
http://www-01.ibm.com/support/docview.wss?uid=swg21410851

IBM Support and Downloads
Critical updates for IBM WebSphere DataPower SOA appliances
http://www-01.ibm.com/support/docview.wss?uid=swg21390112

IBM Support and Downloads
TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION VULNERABILITY
http://www-01.ibm.com/support/docview.wss?uid=nas258cbfcf0a5645af7862576710041f65e

IBM Support and Downloads
DATAPOWER CHANGE TO PREVENT SSL TLS MAN-IN-THE-MIDDLE ATTACK
http://www-01.ibm.com/support/docview.wss?uid=swg1IC64790

Apple Web site
About Security Update 2010-001
http://support.apple.com/kb/HT4004

IBM Support and Downloads
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR10
http://www-01.ibm.com/support/docview.wss?uid=swg24025719

IBM Support and Downloads
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11
http://www-01.ibm.com/support/docview.wss?uid=swg24025718

IBM Security alerts
developerWorks : Java; technology : IBM developer kits : Additional documentation
http://www.ibm.com/developerworks/java/jdk/alerts/

Bugzilla@Mozilla Bug 526689
(CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=526689

Mozilla Web site
NSS 3.12.5 release notes
https://developer.mozilla.org/NSS_3.12.5_release_notes

IBM Support & downloads
Transport Layer Security (TLS) handshake renegotiation weak security (CVE-2009-3555) in relation to WebSphere Application Server products
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21413714&loc=en_US&cs=utf-8&lang=en

Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
http://www.microsoft.com/technet/security/advisory/977377.mspx

Aruba Networks Security Advisory
TLS Protocol Session Renegotiation Security Vulnerability
http://www.arubanetworks.com/support/alerts/aid-020810.txt

Bugzilla@Mozilla Bug 526689
(CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=526689

Opera changelog
Opera 10.50 beta (with Opera Widgets for Desktop) for Windows changelog
http://www.opera.com/docs/changelogs/windows/1050b1/

Bluecoat Security Advisories ID: SA44
TLS/SSLv3 renegotiation (CVE-2009-3555)
https://kb.bluecoat.com/index?page=content&id=SA44

MFSA 2010-22
Update NSS to support TLS renegotiation indication
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html

Oracle Critical Patch Update Advisory - March 2010
Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010
http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html

IBM Support and Downloads
Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 9
http://www-01.ibm.com/support/docview.wss?uid=swg21426108

IBM APAR IC65922
SECURITY: BUFFER OVERRUN IN REPEAT UDF.
http://www-01.ibm.com/support/docview.wss?uid=swg1IC65922

IBM APAR IC67848
SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATIONWEAK SECURITY CVE-2009-3555
http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848

IBM APAR PM12247
SHIP APAR FIXES FOR H28W610 FIX PACK 6.1.0.31.
http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247

ASA-2010-119
nss security update (RHSA-2010-0165)
https://support.avaya.com/css/P8/documents/100081611

IBM APAR PM10658
IBM HTTP SERVER 2.0.47 CUMULATIVE INTERIM FIX
http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658

HP Security Bulletin HPSBMA02534 SSRT090180
HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Information Disclosure, Unauthorized Data Modification, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02171256

IBM Support and Downloads
Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.7 Fix Pack 2
http://www-01.ibm.com/support/docview.wss?uid=swg21432298

OpenOffice Web Site
OpenOffice.org 2 and 3 may be affected by the TLS/SSL Renegotiation Issue in 3rd Party Libraries
http://www.openoffice.org/security/cves/CVE-2009-3555.html

HP Security Bulletin HPSBMA02547 SSRT100180
HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Execution of Arbitrary Code and Other Vulnerabilities
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c02273751

Oracle Critical Patch Update Advisory - July 2010
Oracle Critical Patch Update Advisory - July 2010
http://www.oracle.com/technetwork/topics/security/cpujul2010-155308.html

cisco-sa-20091109-tls
Transport Layer Security Renegotiation Vulnerability
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml

HP Security Bulletin HPSBGN02562 SSRT090249
HP ProCurve Threat Management Services (TMS) zl Module J9155A and J9156A running TLS/SSL, Remote Unauthorized Data Injection, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041

Microsoft Security Bulletin MS10-049
Vulnerabilities in SChannel could allow Remote Code Execution (980436)
http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx

HP Security Bulletin HPSBMA02568 SSRT100219
HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02512995

VMSA-2010-0015
VMware ESX third party updates for Service Console
http://lists.vmware.com/pipermail/security-announce/2010/000106.html

Oracle Critical Patch Update Advisory - October 2010
Oracle Critical Patch Update Advisory - October 2010
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

Microsoft Security Bulletin MS10-085
Vulnerabilities in SChannel Could Allow Denial of Service (2207566)
http://www.microsoft.com/technet/security/bulletin/ms10-085.mspx

Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010
Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

VMSA-2010-0019
VMware ESX third party updates for Service Console
http://lists.vmware.com/pipermail/security-announce/2010/000113.html

SA50
Multiple SSL/TLS vulnerabilities in Reporter
https://kb.bluecoat.com/index?page=content&id=SA50

Innominate mGuard
Version 7.2.1 - Release Notes
http://www.innominate.com/data/downloads/manuals/releasenotes_mguard_721_en.pdf

Innominate mGuard
Version 6.1.5 - Release Notes
http://www.innominate.com/data/downloads/manuals/releasenotes_mguard_615_en.pdf

Innominate mGuard
Version 5.1.6 - Release Notes
http://www.innominate.com/data/downloads/manuals/releasenotes_mguard_516_en.pdf

Oracle Critical Patch Update Advisory - April 2011
Oracle Critical Patch Update Advisory - April 2011
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

Sun Security Blog, 29 Apr 2011
Multiple Vulnerabilities in the Apache 2 HTTP Server Prior to 2.2.16
http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_the_apache

Bluecoat Web site
Security Advisories
https://kb.bluecoat.com/index?page=content&id=SA61

HPSBHF02706 SSRT100613 rev.1
HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS, Denial of Service (DoS), Unauthorized Modification
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03024266

Microsoft Security Bulletin MS12-006
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
http://technet.microsoft.com/en-us/security/bulletin/ms12-006

HP Security Bulletin HPSBMU02759 SSRT100817
HP Onboard Administrator (OA), Remote Unauthorized Access, Unauthorized Information Disclosure, Denial of Service (DoS), URL Redirection
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03263573

HP Security Bulletin HPSBMU02769 SSRT100846
HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Unauthorized Access, Execution of Arbitrary Code, and Other Vulnerabilities
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151

Microsoft Security Bulletin MS12-049
Vulnerability in TLS Could Allow Information Disclosure (2655992)
http://technet.microsoft.com/en-us/security/bulletin/ms12-049

Microsoft Security Bulletin MS14-066
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
http://technet.microsoft.com/en-us/security/bulletin/MS14-066

Microsoft Security Bulletin MS14-066
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
http://technet.microsoft.com/en-us/security/bulletin/MS14-066

ISS X-Force
Transport Layer Security (TLS) handshake renegotiation weak security
http://www.iss.net/security_center/static/54158.php

CVE
CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555