CVE-2011-3389 — BEAST: Inadequate Encryption Strength in TLS 1.0

CWE-326 — Inadequate Encryption Strength CWE-20 — Improper Input Validation15 documents10 sources

Severity

4.3MEDIUMNVD

EPSS

3.8%

top 11.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apsis Pound Haxx Curl Lighttpd +10 more

Timeline

PublishedSep 6

Latest updateMay 13

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverl…

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages10 packages

▶Debianmozilla/nss< 3.13.1.with.ckbi.1.88-1+3

▶Debianlighttpd/lighttpd< 1.4.30-1+3

▶NVDsiemens/simatic_rf615r_firmware< 3.2.1

▶NVDsiemens/simatic_rf68xr_firmware< 3.2.1

▶Debianhaxx/curl< 7.24.0-1+3

Also affects: Debian Linux 5.0, 6.0, Ubuntu Linux 10.04, 10.10, 11.04, 11.10, Enterprise Linux 6.2

Patches

Patch: technet.microsoft.com ↗Patch: www.insecure.cl ↗Patch: docs.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-rhch-pcq2-7gp3: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and o↗2022-05-13

▶

CVEList

CVE-2011-3389: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and o↗2011-09-06

▶

OSV

CVE-2011-3389: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and o↗2011-09-06

▶

💥Exploits & PoCs

Exploit-DB

Apache mod_proxy - Reverse Proxy Exposure↗2011-10-11

▶

📋Vendor Advisories

Ubuntu

OpenJDK 6 regression↗2012-01-24

▶

Ubuntu

IcedTea-Web, OpenJDK 6 vulnerabilities↗2011-11-16

▶

Red Hat

HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)↗2011-09-10

▶

Debian

CVE-2011-3389: asterisk - The SSL protocol, as used in certain configurations in Microsoft Windows and Mic...↗2011

▶

💬Community

HackerOne

SSL/TLS Vulnerability at khanacademy.org↗2017-02-22

▶

Bugzilla

[RFE] Allow override of TLS ciphers to avoid clients connecting and being vulnerable to CVE-2011-3389↗2016-10-21

▶

Bugzilla

Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunderbird↗2012-07-10

▶

Bugzilla

python: SSL CBC IV vulnerability (CVE-2011-3389, BEAST)↗2012-04-12

▶

Bugzilla

curl: SSL CBC IV vulnerability (CVE-2011-3389, BEAST)↗2012-01-24

▶