-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVAS flags XrootD 5.4.2 "SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)" #1689
Comments
For XRootD this appears to be a tangible problem for unauthenticated connections which, in practice, no one does. So, here we trust that clients that we accept will not launch a DOS attack. Thus far this has been shown to be true. Hence, the severity of this problem is far lower than one would expect. |
For what it's worth, here is a ticket that describes how to disable renegotiation. This may differ for various versions of OpenSSL. |
The fix for this is merged into the |
I'm the security guy, not the local XrootD expert, but wanted to post it here just in case.
I ran an OpenVAS vulnerability against our XrootD servers which are running 5.4.2, and it flags them with the above error, which is considered 5 out of 10 for severity.
Summary
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.
Detection Result
The following indicates that the remote SSL/TLS service is affected:
Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection
TLSv1.2 | 10
Insight
The flaw exists because the remote SSL/TLS service does not
properly restrict client-initiated renegotiation within the SSL and TLS protocols.
Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but
both are in a DISPUTED state with the following rationale:
Both CVEs are still kept in this VT as a reference to the origin of this flaw.
Detection Method
Checks if the remote service allows to re-do the same SSL/TLS
handshake (Renegotiation) over an existing / already established SSL/TLS connection.
Details:
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094...
OID: 1.3.6.1.4.1.25623.1.0.117761
Version used:
2021-11-15T10:28:20Z
Affected Software/OS
Every SSL/TLS service which does not properly restrict
client-initiated renegotiation.
Impact
The flaw might make it easier for remote attackers to cause a
DoS (CPU consumption) by performing many renegotiations within a single connection.
Solution
Solution Type:
Vendorfix
Users should contact their vendors for specific patch information.
A general solution is to remove/disable renegotiation capabilities altogether from/in the affected
SSL/TLS service.
References
CVE
CVE-2011-1473
CVE-2011-5094
CERT
DFN-CERT-2017-1013
DFN-CERT-2017-1012
DFN-CERT-2014-0809
DFN-CERT-2013-1928
DFN-CERT-2012-1112
CB-K17/0980
CB-K17/0979
CB-K14/0772
CB-K13/0915
CB-K13/0462
Other
https://orchilles.com/ssl-renegotiation-dos/
https://mailarchive.ietf.org/arch/msg/tls/wdg46VE_jkYBbgJ5yE4P9nQ-8IU/
https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation
https://www.openwall.com/lists/oss-security/2011/07/08/2
https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation
The text was updated successfully, but these errors were encountered: