I'm the security guy, not the local XrootD expert, but wanted to post it here just in case.
I ran an OpenVAS vulnerability against our XrootD servers which are running 5.4.2, and it flags them with the above error, which is considered 5 out of 10 for severity.
Summary
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.
Detection Result
The following indicates that the remote SSL/TLS service is affected:
TLSv1.2 | 10
Insight
The flaw exists because the remote SSL/TLS service does not
properly restrict client-initiated renegotiation within the SSL and TLS protocols.
Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but
both are in a DISPUTED state with the following rationale:
It can also be argued that it is the responsibility of server deployments, not a security
library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Both CVEs are still kept in this VT as a reference to the origin of this flaw.
Detection Method
Checks if the remote service allows to re-do the same SSL/TLS
handshake (Renegotiation) over an existing / already established SSL/TLS connection.
Details:
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094...
OID: 1.3.6.1.4.1.25623.1.0.117761
Version used:
2021-11-15T10:28:20Z
Affected Software/OS
Every SSL/TLS service which does not properly restrict
client-initiated renegotiation.
Impact
The flaw might make it easier for remote attackers to cause a
DoS (CPU consumption) by performing many renegotiations within a single connection.
Solution
Solution Type:
Vendorfix
Users should contact their vendors for specific patch information.
A general solution is to remove/disable renegotiation capabilities altogether from/in the affected
SSL/TLS service.
References
CVE
CVE-2011-1473
CVE-2011-5094
CERT
DFN-CERT-2017-1013
DFN-CERT-2017-1012
DFN-CERT-2014-0809
DFN-CERT-2013-1928
DFN-CERT-2012-1112
CB-K17/0980
CB-K17/0979
CB-K14/0772
CB-K13/0915
CB-K13/0462
Other
https://orchilles.com/ssl-renegotiation-dos/
https://mailarchive.ietf.org/arch/msg/tls/wdg46VE_jkYBbgJ5yE4P9nQ-8IU/
https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation
https://www.openwall.com/lists/oss-security/2011/07/08/2
https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1