TLS1/SSLv3 Renegotiation Vulnerability

RESOLVED INVALID

Status

Cloud Services
Web Site
RESOLVED INVALID
6 years ago
4 years ago

People

(Reporter: H, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.5 Safari/534.30

Steps to reproduce:

Vulnerability description
A vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source. This issue affects SSL version 3.0 and newer and TLS version 1.0 and newer.

Affected items:
account.services.mozilla.com


Actual results:

A remote, unauthenticated attacker may be able to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This could allow and attacker to issue HTTP requests, or take action impersonating the user, among other consequences.


Expected results:

Care should be taken that they will be patched 

Thank you
(Reporter)

Updated

6 years ago

Updated

6 years ago
Group: mozilla-services-security
The only thing https://www.ssllabs.com/ssltest/analyze.html?d=account.services.mozilla.com&hideResults=on says is that client-initiated renegotiation is enabled, which can be used for DoS (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks).

Comment 2

6 years ago
I'm not sure what the exact attack is. I believe this deals with CVE-2009-3555. So an attacker can prefix some chose bytes to the communication, though only during the renegotiation.

There isn't anything interesting that the attacker could do without the user being authenticated.
(Reporter)

Comment 3

6 years ago
But the issue exists sir and Will this issue come under bounty program?

Thank you

Updated

6 years ago
Duplicate of this bug: 770138

Comment 5

6 years ago
No problem, both have been rewarded by Facebook.
Mozilla is not a serious company, report bugs for Google Chrome. :)
(Reporter)

Comment 6

5 years ago
It is none of your business overflow815@gmail.com
Duplicate of this bug: 806203
(Reporter)

Comment 8

5 years ago
Duplicate! someone got added to this list and what is update of this vulnerability REED.

Thanks
Duplicate of this bug: 806203
Comment 0 seems to be describing _insecure_ renegotiation, but provides no evidence that our server suffers from it. The SSLLabs report says we don't, and we certainly know about the problem (we had to pester the providers of our load-balancing hardware to support the Renegotiation extension).

The renegotiation attacks weren't all that hard to demonstrate (see the one used against Twitter in 2009), have you actually been able to inject prefix data?
absent a response to comment 11 this looks invalid as per
https://www.ssllabs.com/ssltest/analyze.html?d=account.services.mozilla.com

(we're aware of the secure negotiation DOS potential, but that would not qualify for a web bug bounty.)
Group: mozilla-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID

Updated

5 years ago
Blocks: 835426
Duplicate of this bug: 770138
You need to log in before you can comment on or make changes to this bug.