CVE-2011-1509

The encryptPassword function in Login.js in ManageEngine ServiceDesk Plus SDP 8012 and earlier uses a Caesar cipher for encryption of passwords in cookies, which makes it easier for remote attackers to obtain sensitive information by sniffing the network...

CORE-2011-0506 - Multiples Vulnerabilities in ManageEngine ServiceDesk Plus

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Multiples Vulnerabilities in ManageEngine ServiceDesk Plus 1. Advisory Information Title: Multiples Vulnerabilities in ManageEngine ServiceDesk Plus Advisory ID: CORE-2011-0506 Advisory URL:...

[SECURITY] [DSA 2309-1] openssl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-2309-1 [email protected] http://www.debian.org/security/ Raphael Geissert September 13, 2011 http://www.debian.org/security/faq -...

DEBIAN-CVE-2011-3389

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HT...

OpenSSL 1.x < 1.0.0e Multiple Vulnerabilities

Binary data 6022.prm...

Researchers Show Method to Decrypt GPRS Traffic

A security researcher known for his work on cracking cryptographic ciphers on mobile networks has found a method that enables him to capture and decrypt data traffic on virtually any GPRS network. The attack, developed by Karsten Nohl, enables him to eavesdrop on traffic within a radius of about...

openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack

OpenSSL before 0.9.8j, when SSLOPNETSCAPEREUSECIPHERCHANGEBUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a...

openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSLOPNETSCAPEREUSECIPHERCHANGEBUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network...

Nmap NSE net: ssl-enum-ciphers

This script repeatedly initiates SSL/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts. SSLv3/TLSv1 requires more effort to determine which ciphers an...

CVE-2011-1945

The elliptic curve cryptography ECC subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm ECDSA is used for the ECDHEECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine...

openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)

Malicious clients could downgrade a connection to a low strength cipher suite on session resumption if the server offers such ciphers CVE-2010-4180. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security...

SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 7463)

Malicious clients could have downgraded a connection to a low strength cipher suite on session resumption if the server offers such ciphers CVE-2010-4180. This has been fixed. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The text description of this plugin is C Novell, Inc...

Microsoft Windows Kerberos Encryption Standard Spoofing Vulnerability

Description The Microsoft Windows implementation of Kerberos is prone to a security vulnerability that may allow attackers to downgrade the cipher suite. Successful exploits may allow attackers to change the default encryption standard to DES. This may allow attackers to read and forge all Kerber...

OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue

The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than was used when the session was initiated. This means that an attacker that sees i.e., by sniffing the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent...

OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher Issue

The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming a session. This means that an attacker that sees e.g. by sniffing the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to...

Huawei HG default WEP/WPA generator

Hi, Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key from the MAC address. The following documents detail the process of developing a key generator for these devices. English: http://websec.ca/blog/view/mac2wepkeyhuawei Espao...

Debian DSA-2141-1 : openssl - SSL/TLS insecure renegotiation protocol design flaw

DSA-2141 consists of three individual parts, which can be viewed in the mailing list archive: DSA 2141-1 openssl, DSA 2141-2 nss, DSA 2141-3 apache2, and DSA 2141-4 lighttpd. This page only covers the first part, openssl. - CVE-2009-3555 Marsh Ray, Steve Dispensa, and Martin Rex discovered a flaw...

DSA-2141-1 openssl - protocol design flaw

Bulletin has no description...

DSA-2141-2 nss - protocol design flaw

Bulletin has no description...

[SECURITY] [DSA-2141-1] New openssl packages fix protocol design flaw

------------------------------------------------------------------------ Debian Security Advisory DSA-2141-1 [email protected] http://www.debian.org/security/ Stefan Fritsch January 06, 2011 http://www.debian.org/security/faq -...