Check Point Provides Preemptive Protection for Microsoft SSL/TLS Renegotiation Vulnerability
(MS10-049, 977377, CVE-2009-3555)
Vulnerability
On August 10th 2010, Microsoft patched a critical vulnerability that exists in the way Windows handles SSL (Secure Socket Layer) and TLS (Transport Layer Security) renegotiations during secure communications. A remote attacker may exploit this vulnerability to take complete control of the affected system.
Details
SSL and TLS have a capability known as renegotiation, where a client and server that are already communicating through an SSL or TLS secure channel can negotiate new parameters. Certain TLS/SSL protected protocols assume that data received after a renegotiation is sent by the same client as before the renegotiation. If an attacker has the ability to intercept traffic, through DNS cache poisoning as an example, he can execute a man-in-the-middle attack. The attacker could then interrupt a TLS renegotiation attempt, and pretend to be the authenticated client.
Affected Products
This vulnerability exists in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Several other vendors’ products are affected as well – Apache HTTP Server 2.2.14 and earlier (in mod_ssl), OpenSSL prior to v0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services 3.12.4 and earlier, and multiple Cisco products.
Solution
Check Point IPS Software Blade and NGX SmartDefense have provided preemptive network protection for all of the products listed above since November 2009, by detecting and blocking TLS renegotiation traffic (see SBP-2009-23). Furthermore, immediately after Microsoft publicly disclosed on February 9th 2010 that Windows was vulnerable to this exploit, Check Point added a protection that is specific to the TLS Client-Initiated Renegotiation. For more information, see CPAI-2010-020.
Published August 12, 2010