CVE-2011-3389
Advisory lineage Upstream: 0 Downstream: 30
Modified
Published: 06 Sept 2011, 19:00
Last modified:06 Aug 2024, 23:29
Vulnerability Summary
Overall Risk (default)
medium
28/100 CVSS Score
4.3 MEDIUM
v2.0 (nvd)
EPSS Score
3.83% LOW
4% probability -0.06%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
06 Sept 2011, 19:00
Published
Vulnerability first disclosed
06 Aug 2024, 23:29
Last Modified
Vulnerability information updated
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
CVSS Metrics
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 3.83%• Percentile: 88%
Techniques & Countermeasures
- CWE-326•Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Affected Systems
- canonical•ubuntu_linux
10.04 | 10.10 | 11.04 | 11.10
- debian•debian_linux
5.0 | 6.0
- Unknown•Chrome
na
- haxx•curl
≥ 7.10.6, ≤ 7.23.1
- Unknown•Internet Explorer
na
- Unknown•Windows
na
- mozilla•firefox
na
- opera•opera_browser
na
- redhat•enterprise_linux_desktop
5.0 | 6.0
- redhat•enterprise_linux_eus
6.2
- redhat•enterprise_linux_server
5.0 | 6.0
- redhat•enterprise_linux_server_aus
6.2
- redhat•enterprise_linux_workstation
5.0 | 6.0
- siemens•simatic_rf615r_firmware
< 3.2.1
- siemens•simatic_rf68xr_firmware
< 3.2.1
References (89)
- http://osvdb.org/74829
- http://eprint.iacr.org/2004/111
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://secunia.com/advisories/48692
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://secunia.com/advisories/55322
- http://support.apple.com/kb/HT5130
- https://bugzilla.redhat.com/show_bug.cgi?id=737506
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
- http://www.securitytracker.com/id?1025997
- http://www.us-cert.gov/cas/techalerts/TA12-010A.html
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
- http://www.securityfocus.com/bid/49388
- http://ekoparty.org/2011/juliano-rizzo.php
- http://downloads.asterisk.org/pub/security/AST-2016-001.html
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://secunia.com/advisories/55351
- http://www.kb.cert.org/vuls/id/864643
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.securityfocus.com/bid/49778
- http://www.debian.org/security/2012/dsa-2398
- http://secunia.com/advisories/48948
- http://support.apple.com/kb/HT6150
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://technet.microsoft.com/security/advisory/2588513
- https://hermes.opensuse.org/messages/13155432
- http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
- http://www.redhat.com/support/errata/RHSA-2011-1384.html
- http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
- http://www.opera.com/docs/changelogs/windows/1151/
- https://hermes.opensuse.org/messages/13154861
- http://eprint.iacr.org/2006/136
- http://secunia.com/advisories/48915
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
- http://secunia.com/advisories/48256
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://www.securitytracker.com/id?1026103
- http://support.apple.com/kb/HT4999
- http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
- http://support.apple.com/kb/HT5501
- http://www.insecure.cl/Beast-SSL.rar
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- http://support.apple.com/kb/HT5001
- http://www.opera.com/docs/changelogs/mac/1160/
- http://curl.haxx.se/docs/adv_20120124B.html
- http://www.opera.com/support/kb/view/1004/
- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
- http://www.securitytracker.com/id?1026704
- http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
- http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
- http://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://secunia.com/advisories/45791
- http://www.securitytracker.com/id/1029190
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
- http://secunia.com/advisories/47998
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://secunia.com/advisories/49198
- http://www.redhat.com/support/errata/RHSA-2012-0006.html
- http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
- http://www.opera.com/docs/changelogs/windows/1160/
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
- http://www.opera.com/docs/changelogs/unix/1151/
- http://www.opera.com/docs/changelogs/mac/1151/
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
- http://www.opera.com/docs/changelogs/unix/1160/
- http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
- http://support.apple.com/kb/HT5281
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
- https://bugzilla.novell.com/show_bug.cgi?id=719047
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
- http://vnhacker.blogspot.com/2011/09/beast.html
- http://www.ubuntu.com/usn/USN-1263-1
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://secunia.com/advisories/55350
- http://www.ibm.com/developerworks/java/jdk/alerts/
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html