Oval Definition:oval:org.mitre.oval:def:7315
Revision Date:2014-10-06Version:71
Title:TLS/SSL Renegotiation Vulnerability
Description:The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:windowsClass:vulnerability
Status:ACCEPTEDReference(s):CVE-2009-3555
Platform(s):Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s):Mozilla Firefox
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis
  • Check for vulnerable Firefox
  • Mozilla Firefox Mainline release is installed
  • AND Check for vulnerable version
  • Mozilla Firefox Mainline version is 3.5.x before 3.5.9
  • OR Mozilla Firefox Mainline version is 3.6.x before 3.6.2
  • OR Check for vulnerable Seamonkey
  • Mozilla Seamonkey is installed
  • AND Mozilla Seamonkey version less than 2.0.4
  • OR Check for vulnerable Thunderbird
  • Mozilla Thunderbird Mainline release is installed
  • AND Mozilla Thunderbird version less than 3.0.4
  • OR Vulnerable Microsoft Windows XP x86
  • Microsoft Windows XP (32-bit) is installed
  • AND the version of schannel.dll is less than 5.1.2600.6006
  • OR Vulnerable Microsoft Windows XP x64, Windows Server 2003 x86/x64/ia64
  • XP x64/server 2003 x86/x64/ia64
  • Microsoft Windows XP x64 is installed
  • OR Microsoft Windows Server 2003 (32-bit) is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • OR Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND the version of schannel.dll is less than 5.2.3790.4724
  • OR Vulnerable Microsoft Windows Vista x86/x64, Server 2008 x86/x64/ia64
  • Vista x86/x64, Server 2008 x86/x64/ia64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND GDR or LDR Service branch
  • the version of schannel.dll is less than 6.0.6001.18490
  • OR LDR
  • the version of schannel.dll is greater than or equal to 6.0.6001.22000
  • AND the version of schannel.dll is less than 6.0.6001.22709
  • OR Vulnerable Microsoft Windows Vista x86/x64, Server 2008 x86/x64/ia64
  • Vista x86/x64, Server 2008 x86/x64/ia64
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND GDR or LDR Service branch
  • the version of schannel.dll is less than 6.0.6002.18269
  • OR LDR
  • the version of schannel.dll is greater than or equal to 6.0.6002.22000
  • AND the version of schannel.dll is less than 6.0.6002.22422
  • OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64
  • 7 x86/x64, Server 2008 R2 x64/ia64
  • Microsoft Windows 7 (32-bit) is installed
  • OR Microsoft Windows 7 x64 Edition is installed
  • OR Microsoft Windows Server 2008 R2 x64 Edition is installed
  • OR Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
  • AND GDR or LDR Service branch
  • the version of schannel.dll is less than 6.1.7600.16612
  • OR LDR
  • the version of schannel.dll is greater than or equal to 6.1.7600.20000
  • AND the version of schannel.dll is less than 6.1.7600.20735
  • BACK