SSL patch not installed (SSLpatch)

Vuln ID: 1232
Risk Level: High risk vulnerability  High SSLpatch
Platforms: Microsoft Windows NT: 4.0, Microsoft Internet Information Server: 1.0, Microsoft Internet Information Server: 2.0, Microsoft Internet Information Server: 3.0
Description:

An unpatched version of the Secure Sockets Layer (SSL) allows an attacker to formulate a complex structured attack that could potentially decode an Internet transaction encrypted using SSL. This knowledge would not give the attacker an advantage in decoding any other transactions that had been made by the server, nor would it necessarily give the attacker an advantage in decoding any other transactions performed by the user. A Web site operator could detect an attack through observations, such as abnormal network activity or high CPU utilization.

Remedy:

Apply the latest Windows NT 4.0 Service Pack (SP4 or later), available from the Windows NT Service Packs Web page. See References.

— OR —

As an alternative, Windows NT SP3 users can apply the post-SP3 ssl-fix patch, as listed in Microsoft Knowledge Base Article Q148427. See References.

— AND —

To minimize the risk to your Web servers:

  • Change server-side certificates on a periodic basis. By changing the certificate on a server, an attacker will no longer be able to use this vulnerability to decode transactions that were encrypted with the previous private key.
  • Use a certificate on only a single system. Sometimes in server farms (large clusters of servers) the same certificate is installed on multiple systems. This is not recommended for the most secure solutions. If multiple servers are configured with the same certificate, an attacker could use the processing strength of each server to try to break a single session, thus reducing the time required.
  • Monitor normal trend performance and look for changes. Since this attack uses the processing power of the server against itself, regular monitoring of CPU utilization and network traffic could give warning of an attack. For example, watching for a large amount of network traffic from a single source might indicate an attack.
False Positives:
False Negatives:
Required Permission: Windows login
Additional Information:

References:

CERT Advisory CA-1998-07
Vulnerability in Some Usages of PKCS#1
http://www.cert.org/advisories/CA-1998-07.html

Microsoft Knowledge Base Article 148427
Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products
http://support.microsoft.com/default.aspx?scid=kb;[LN];148427

Microsoft Security Bulletin MS98-002
Updates available for the SSL enabled Internet Server 'The Error Message Vulnerability'
http://www.microsoft.com/technet/security/bulletin/ms98-002.mspx

Bell Labs Innovations - Pages for Daniel Bleichenbacher
List of Publications
http://www.bell-labs.com/user/bleichen/bib.html

Microsoft Knowledge Base Article 148427
Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/ssl-fix/Q148427.TXT

Microsoft Security Bulletin MS98-009
Update Available for Windows NT Privilege Elevation attack
http://www.microsoft.com/technet/security/bulletin/ms98-009.mspx

Microsoft Product Support Services
Windows NT Service Packs
http://www.microsoft.com/ntserver/downloads

CIAC Information Bulletin I-066
Vulnerability in Some Implementations of PKCS#1
http://www.ciac.org/ciac/bulletins/i-066.shtml

ISS X-Force
SSL patch not installed
http://www.iss.net/security_center/static/1232.php

CVE CVE-1999-0662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0662

CVE CVE-1999-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0007


X-Force Logo
Know Your Risks
Mitre.org CVE Logo
Common Vulnerabilties & Exposures