CVE-2011-3389
Severity CVSS v4.0:
Pending analysis
Type:
CWE-326
Inadequate Encryption Strength
Publication date:
06/09/2011
Last modified:
11/04/2025
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Impact
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:siemens:simatic_rf68xr_firmware:*:*:*:*:*:*:*:* | 3.2.1 (excluding) | |
| cpe:2.3:h:siemens:simatic_rf68xr:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:siemens:simatic_rf615r_firmware:*:*:*:*:*:*:*:* | 3.2.1 (excluding) | |
| cpe:2.3:h:siemens:simatic_rf615r:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | 7.10.6 (including) | 7.23.1 (including) |
| cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_eus:6.2:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
- http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
- http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
- http://curl.haxx.se/docs/adv_20120124B.html
- http://downloads.asterisk.org/pub/security/AST-2016-001.html
- http://ekoparty.org/2011/juliano-rizzo.php
- http://eprint.iacr.org/2004/111
- http://eprint.iacr.org/2006/136
- http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
- http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
- http://osvdb.org/74829
- http://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://secunia.com/advisories/45791
- http://secunia.com/advisories/47998
- http://secunia.com/advisories/48256
- http://secunia.com/advisories/48692
- http://secunia.com/advisories/48915
- http://secunia.com/advisories/48948
- http://secunia.com/advisories/49198
- http://secunia.com/advisories/55322
- http://secunia.com/advisories/55350
- http://secunia.com/advisories/55351
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://support.apple.com/kb/HT4999
- http://support.apple.com/kb/HT5001
- http://support.apple.com/kb/HT5130
- http://support.apple.com/kb/HT5281
- http://support.apple.com/kb/HT5501
- http://support.apple.com/kb/HT6150
- http://technet.microsoft.com/security/advisory/2588513
- http://vnhacker.blogspot.com/2011/09/beast.html
- http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
- http://www.debian.org/security/2012/dsa-2398
- http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
- http://www.ibm.com/developerworks/java/jdk/alerts/
- http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
- http://www.insecure.cl/Beast-SSL.rar
- http://www.kb.cert.org/vuls/id/864643
- http://www.mandriva.com/security/advisories?name=MDVSA-2012%3A058
- http://www.opera.com/docs/changelogs/mac/1151/
- http://www.opera.com/docs/changelogs/mac/1160/
- http://www.opera.com/docs/changelogs/unix/1151/
- http://www.opera.com/docs/changelogs/unix/1160/
- http://www.opera.com/docs/changelogs/windows/1151/
- http://www.opera.com/docs/changelogs/windows/1160/
- http://www.opera.com/support/kb/view/1004/
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
- http://www.redhat.com/support/errata/RHSA-2011-1384.html
- http://www.redhat.com/support/errata/RHSA-2012-0006.html
- http://www.securityfocus.com/bid/49388
- http://www.securityfocus.com/bid/49778
- http://www.securitytracker.com/id/1029190
- http://www.securitytracker.com/id?1025997=
- http://www.securitytracker.com/id?1026103=
- http://www.securitytracker.com/id?1026704=
- http://www.ubuntu.com/usn/USN-1263-1
- http://www.us-cert.gov/cas/techalerts/TA12-010A.html
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
- https://bugzilla.novell.com/show_bug.cgi?id=719047
- https://bugzilla.redhat.com/show_bug.cgi?id=737506
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
- https://hermes.opensuse.org/messages/13154861
- https://hermes.opensuse.org/messages/13155432
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
- http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
- http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
- http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
- http://curl.haxx.se/docs/adv_20120124B.html
- http://downloads.asterisk.org/pub/security/AST-2016-001.html
- http://ekoparty.org/2011/juliano-rizzo.php
- http://eprint.iacr.org/2004/111
- http://eprint.iacr.org/2006/136
- http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
- http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
- http://osvdb.org/74829
- http://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://secunia.com/advisories/45791
- http://secunia.com/advisories/47998
- http://secunia.com/advisories/48256
- http://secunia.com/advisories/48692
- http://secunia.com/advisories/48915
- http://secunia.com/advisories/48948
- http://secunia.com/advisories/49198
- http://secunia.com/advisories/55322
- http://secunia.com/advisories/55350
- http://secunia.com/advisories/55351
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://support.apple.com/kb/HT4999
- http://support.apple.com/kb/HT5001
- http://support.apple.com/kb/HT5130
- http://support.apple.com/kb/HT5281
- http://support.apple.com/kb/HT5501
- http://support.apple.com/kb/HT6150
- http://technet.microsoft.com/security/advisory/2588513
- http://vnhacker.blogspot.com/2011/09/beast.html
- http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
- http://www.debian.org/security/2012/dsa-2398
- http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
- http://www.ibm.com/developerworks/java/jdk/alerts/
- http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
- http://www.insecure.cl/Beast-SSL.rar
- http://www.kb.cert.org/vuls/id/864643
- http://www.mandriva.com/security/advisories?name=MDVSA-2012%3A058
- http://www.opera.com/docs/changelogs/mac/1151/
- http://www.opera.com/docs/changelogs/mac/1160/
- http://www.opera.com/docs/changelogs/unix/1151/
- http://www.opera.com/docs/changelogs/unix/1160/
- http://www.opera.com/docs/changelogs/windows/1151/
- http://www.opera.com/docs/changelogs/windows/1160/
- http://www.opera.com/support/kb/view/1004/
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
- http://www.redhat.com/support/errata/RHSA-2011-1384.html
- http://www.redhat.com/support/errata/RHSA-2012-0006.html
- http://www.securityfocus.com/bid/49388
- http://www.securityfocus.com/bid/49778
- http://www.securitytracker.com/id/1029190
- http://www.securitytracker.com/id?1025997=
- http://www.securitytracker.com/id?1026103=
- http://www.securitytracker.com/id?1026704=
- http://www.ubuntu.com/usn/USN-1263-1
- http://www.us-cert.gov/cas/techalerts/TA12-010A.html
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
- https://bugzilla.novell.com/show_bug.cgi?id=719047
- https://bugzilla.redhat.com/show_bug.cgi?id=737506
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
- https://hermes.opensuse.org/messages/13154861
- https://hermes.opensuse.org/messages/13155432
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752