If you have an incident to report or another matter that you believe needs urgent attention, contact the Security Incident Response Team (SIRT) of the ICASI member whose product you think is most immediately impacted. That ICASI member?s team will take the next appropriate step.

To get the latest announcements, alerts, fixes and other important information from our members, follow the links provided below for each member company.

November 11, 2009
ICASI Advisory
Transport Layer Security (TLS) Man-In-The-Middle (MITM) Vulnerability CVE-2009-3555

The Industry Consortium for Advancement of Security on the Internet (ICASI) is releasing this alert to provide guidance on an issue that was disclosed to the general public on November 5, 2009.  A protocol-level design flaw allows for an attacker to perform a man-in-the-middle (MITM) attack on sessions protected by Transport Layer Security (TLS) and Secure Sockets Layer (SSL). This vulnerability could allow an attacker who is able to successfully leverage a MITM attack to prepend data to an SSL/TLS-protected session. It does not allow the attacker to read, decrypt, or alter encrypted traffic between client and server.

Note: This is not a cryptographic vulnerability in TLS, but rather a vulnerability in the way that TLS handles previously authenticated sessions. This means that although an attacker cannot actually read any of the session data, it may be possible to insert arbitrary data on behalf of either the client or server in specific scenarios. Users are only affected when an attacker is able to successfully exploit this vulnerability in conjunction with a MITM attack, such as a local subnet attack or DNS spoofing. This makes consistent and successful exploitation of the vulnerability unlikely. [More]