Hello everyone,
I routinely use GSM to scan various systems our business uses, including our websites. In the past 2 months a new entry has appeared for one of our websites. I have reported it to the ISP who runs the webserver, but they are struggling to reproduce the error, and hence to do anything to fix it.
I’m therefore looking for more information or guidance on how to treat it?
The title for the vulnerability is: SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)
The test is being run against: [212.42.180.221] www.tongue-tied.co.uk
I’ve copied the full detail of the report entry below, in case its of any use. Can anyone give me any more information on how to reproduce this error, and/or how to fix it?
Summary
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.
Detection Result
The following indicates that the remote SSL/TLS service is affected: Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection ---------------------------------------------------------------------------------------------------------------------------------- TLSv1.0 | 10 TLSv1.1 | 10 TLSv1.2 | 10
Insight
The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw.
Detection Method
Checks if the remote service allows to re-do the same SSL/TLS handshake (Renegotiation) over an existing / already established SSL/TLS connection.
Details: SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094… OID: 1.3.6.1.4.1.25623.1.0.117761 Version used: 2021-11-15T10:28:20Z Affected Software/OS
Every SSL/TLS service which does not properly restrict client-initiated renegotiation.
Impact
The flaw might make it easier for remote attackers to cause a DoS (CPU consumption) by performing many renegotiations within a single connection.
Solution
Solution Type:
Vendorfix
Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service.