CVE-2011-3389

Published: Sep 6, 2011Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Affected (22)

Products: Google: Chrome · Microsoft: Internet Explorer, Windows · Mozilla: Firefox · +6 more

Show all products

1 product

2 products

1 product

1 product

2 products

Simatic Rf68xr Firmware

Simatic Rf615r Firmware

Haxx

1 product

Curl

Redhat

5 products

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Workstation

1 product

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Google Chrome	All versions
Microsoft Internet Explorer	All versions
Microsoft Windows	All versions
Mozilla Firefox	All versions
Opera Opera Browser	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens Simatic Rf68xr Firmware	Before 3.2.1

Running on/with	Platform Versions
Siemens Simatic Rf68xr	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens Simatic Rf615r Firmware	Before 3.2.1

Running on/with	Platform Versions
Siemens Simatic Rf615r	All versions

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	From 7.10.6 to 7.23.1

Configuration E

8 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 5.0
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Eus	Version 6.2
Redhat Enterprise Linux Server	Version 5.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server Aus	Version 6.2
Redhat Enterprise Linux Workstation	Version 5.0
Redhat Enterprise Linux Workstation	Version 6.0

Configuration F

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 5.0
Debian Debian Linux	Version 6.0

Configuration G

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 10.04
Canonical Ubuntu Linux	Version 10.10
Canonical Ubuntu Linux	Version 11.04
Canonical Ubuntu Linux	Version 11.10

Related CWEs

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (178)

http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/

Source: cve@mitre.org

Third Party Advisory

http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx

Source: cve@mitre.org

Third Party Advisory

http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

Source: cve@mitre.org

Third Party Advisory

http://curl.haxx.se/docs/adv_20120124B.html

Source: cve@mitre.org

Third Party Advisory

http://downloads.asterisk.org/pub/security/AST-2016-001.html

Source: cve@mitre.org

Third Party Advisory

http://ekoparty.org/2011/juliano-rizzo.php

Source: cve@mitre.org

Broken Link

http://eprint.iacr.org/2004/111

Source: cve@mitre.org

Third Party Advisory

http://eprint.iacr.org/2006/136

Source: cve@mitre.org

Third Party Advisory

http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html

Source: cve@mitre.org

Not ApplicableVendor Advisory

http://isc.sans.edu/diary/SSL+TLS+part+3+/11635

Source: cve@mitre.org

Third Party Advisory

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html

Source: cve@mitre.org

Broken Link

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html

Source: cve@mitre.org

Broken Link

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

Source: cve@mitre.org

Broken LinkMailing List

http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html

Source: cve@mitre.org

Broken LinkMailing List

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

Source: cve@mitre.org

Broken LinkMailing List

http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

Source: cve@mitre.org

Broken LinkMailing List

http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html

Source: cve@mitre.org

Broken LinkMailing List

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Source: cve@mitre.org

Broken Link

http://marc.info/?l=bugtraq&m=132750579901589&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=132872385320240&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=133365109612558&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=133728004526190&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=134254866602253&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=134254957702612&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue

Source: cve@mitre.org

Third Party Advisory

http://osvdb.org/74829

Source: cve@mitre.org

Broken Link

http://rhn.redhat.com/errata/RHSA-2012-0508.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2013-1455.html

Source: cve@mitre.org

Broken Link

http://secunia.com/advisories/45791

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/47998

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/48256

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/48692

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/48915

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/48948

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/49198

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/55322

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/55350

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/55351

Source: cve@mitre.org

Not Applicable

http://security.gentoo.org/glsa/glsa-201203-02.xml

Source: cve@mitre.org

Third Party Advisory

http://security.gentoo.org/glsa/glsa-201406-32.xml

Source: cve@mitre.org

Third Party Advisory

http://support.apple.com/kb/HT4999

Source: cve@mitre.org

Third Party Advisory

http://support.apple.com/kb/HT5001

Source: cve@mitre.org

Third Party Advisory

http://support.apple.com/kb/HT5130

Source: cve@mitre.org

Third Party Advisory

http://support.apple.com/kb/HT5281

Source: cve@mitre.org

Broken Link

http://support.apple.com/kb/HT5501

Source: cve@mitre.org

Third Party Advisory

http://support.apple.com/kb/HT6150

Source: cve@mitre.org

Third Party Advisory

http://technet.microsoft.com/security/advisory/2588513

Source: cve@mitre.org

PatchVendor Advisory

http://vnhacker.blogspot.com/2011/09/beast.html

Source: cve@mitre.org

Third Party Advisory

http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

Source: cve@mitre.org

Third Party Advisory

http://www.debian.org/security/2012/dsa-2398

Source: cve@mitre.org

Third Party Advisory

http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html

Source: cve@mitre.org

Broken Link

http://www.ibm.com/developerworks/java/jdk/alerts/

Source: cve@mitre.org

Third Party Advisory

http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

Source: cve@mitre.org

Third Party Advisory

http://www.insecure.cl/Beast-SSL.rar

Source: cve@mitre.org

Broken LinkPatch

http://www.kb.cert.org/vuls/id/864643

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

http://www.mandriva.com/security/advisories?name=MDVSA-2012:058

Source: cve@mitre.org

Broken Link

http://www.opera.com/docs/changelogs/mac/1151/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/docs/changelogs/mac/1160/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/docs/changelogs/unix/1151/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/docs/changelogs/unix/1160/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/docs/changelogs/windows/1151/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/docs/changelogs/windows/1160/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/support/kb/view/1004/

Source: cve@mitre.org

Third Party AdvisoryVendor Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Source: cve@mitre.org

Third Party Advisory

http://www.redhat.com/support/errata/RHSA-2011-1384.html

Source: cve@mitre.org

Third Party AdvisoryVendor Advisory

http://www.redhat.com/support/errata/RHSA-2012-0006.html

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/49388

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/49778

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1029190

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1025997

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1026103

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1026704

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-1263-1

Source: cve@mitre.org

Third Party Advisory

http://www.us-cert.gov/cas/techalerts/TA12-010A.html

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail

Source: cve@mitre.org

Third Party Advisory

https://bugzilla.novell.com/show_bug.cgi?id=719047

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=737506

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

Source: cve@mitre.org

Third Party Advisory

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006

Source: cve@mitre.org

PatchVendor Advisory

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862

Source: cve@mitre.org

Broken Link

https://hermes.opensuse.org/messages/13154861

Source: cve@mitre.org

Broken Link

https://hermes.opensuse.org/messages/13155432

Source: cve@mitre.org

Broken Link

https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752

Source: cve@mitre.org

Third Party Advisory

http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/