Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: remote ddos vulnerability #28791

Closed
boo0m opened this issue Nov 14, 2018 · 6 comments
Closed

crypto/tls: remote ddos vulnerability #28791

boo0m opened this issue Nov 14, 2018 · 6 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@boo0m
Copy link

boo0m commented Nov 14, 2018

What version of Go are you using (go version)?

$ go version
1.11.2

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

linux x86_64

A TLS connect vulnerability seems have not been repaired yet.
We could reproduce this vulnerability by using poc. It allows remote attackers to cause a denial of service (CPU exhaustion).
Could you please leave me a email address so that I can give you POC.

image

@boo0m boo0m changed the title Tls remote dos vulnerability TLS remote dos vulnerability Nov 14, 2018
@boo0m boo0m changed the title TLS remote dos vulnerability TLS remote ddos vulnerability Nov 14, 2018
@ALTree
Copy link
Member

ALTree commented Nov 14, 2018

@ianlancetaylor ianlancetaylor changed the title TLS remote ddos vulnerability crypto/tls: remote ddos vulnerability Nov 14, 2018
@ianlancetaylor ianlancetaylor added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 14, 2018
@ianlancetaylor ianlancetaylor added this to the Go1.12 milestone Nov 14, 2018
@ianlancetaylor
Copy link
Contributor

CC @FiloSottile

@FiloSottile
Copy link
Contributor

I went through the security@golang.org archives and I did not find any reports matching this issue. Please follow the Security Policy and use that contact to report it. If you did contact that channel, please resend the report to me directly, my email is filippo@golang.org.

@theckman
Copy link
Contributor

I suspect that it will happen, but once you've been able to confirm receipt of the PoC can you add a comment here @FiloSottile? A few people in the community are 👀 on this issue now and I'm sure we'd like to know that progress is being made, even if details are not shared until public disclosure.

@FiloSottile
Copy link
Contributor

The report pointed to the same issue and PoC of #22543, which was fixed in Go 1.10 by limiting the maximum consecutive warning alerts to 5. The issue there was that there was a way to keep a connection busy forever without an application noticing. That's not the case anymore.

The observed behavior is simply the server handling 50 local threads continuously sending ClientHello messages. Of the following warning alerts only 5 are processed, at which point the server correctly closes the connection with error tls: too many warn alerts as a mitigation.

To verify that this is indeed working as intended and not affected by CVE-2016-8610, you can run the PoC with 0 as the number of alerts, and the same number of threads. That neutralizes the actual attack behavior, but still causes full CPU utilization.

If an attacker can flood ClientHello messages faster than the server can answer, there's nothing the server can do on its own.

@theckman
Copy link
Contributor

@FiloSottile thank you so much for the summary!

@golang golang locked and limited conversation to collaborators Nov 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

6 participants