 |
 |
I'm the security guy, not the local XrootD expert, but wanted to post it here just in case. I ran an OpenVAS vulnerability against our XrootD servers which are running 5.4.2, and it flags them with the above error, which is considered 5 out of 10 for severity. --- Summary The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability. Detection Result The following indicates that the remote SSL/TLS service is affected: Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection ---------------------------------------------------------------------------------------------------------------------------------- TLSv1.2 | 10 Insight The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw. Detection Method Checks if the remote service allows to re-do the same SSL/TLS handshake (Renegotiation) over an existing / already established SSL/TLS connection. Details: SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094... OID: 1.3.6.1.4.1.25623.1.0.117761 Version used: 2021-11-15T10:28:20Z Affected Software/OS Every SSL/TLS service which does not properly restrict client-initiated renegotiation. Impact The flaw might make it easier for remote attackers to cause a DoS (CPU consumption) by performing many renegotiations within a single connection. Solution Solution Type: Vendorfix Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service. References CVE CVE-2011-1473 CVE-2011-5094 CERT DFN-CERT-2017-1013 DFN-CERT-2017-1012 DFN-CERT-2014-0809 DFN-CERT-2013-1928 DFN-CERT-2012-1112 CB-K17/0980 CB-K17/0979 CB-K14/0772 CB-K13/0915 CB-K13/0462 Other https://orchilles.com/ssl-renegotiation-dos/ https://mailarchive.ietf.org/arch/msg/tls/wdg46VE_jkYBbgJ5yE4P9nQ-8IU/ https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation https://www.openwall.com/lists/oss-security/2011/07/08/2 https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1689 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1