Skip to main content

SSL/TLS: Renegotiation DoS Vulnerability

amstel
Hi, I have been running a security scan on one of my website. A scanner has found that issue: SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) Summary The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability. Insight The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw. Solution Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service. Could you please advise?

Comments

8 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! These vulnerabilities are from 2011, so it would be odd that they would exist on a modern server. Can you please provide the output of the following commands? rpm -qa | grep openssl- cat /etc/redhat-release
    Once we see that information we can get you more details.
    0
  • amstel
    Hi cPRex, Thanks for your reply. Please see the output: # rpm -qa | grep openssl- openssl-libs-1.0.2k-25.el7_9.x86_64 cpanel-perl-532-crypt-openssl-rsa-0.31-1.cp1198.x86_64 cpanel-perl-532-crypt-openssl-pkcs12-1.3-1.cp1198.x86_64 cpanel-perl-532-crypt-openssl-pkcs10-0.16-1.cp1198.x86_64 cpanel-perl-532-crypt-openssl-random-0.15-1.cp1198.x86_64 ea-openssl-1.0.2u-2.2.1.cpanel.x86_64 openssl-1.0.2k-25.el7_9.x86_64 cpanel-perl-532-crypt-openssl-ec-1.32-1.cp1198.x86_64 openssl-devel-1.0.2k-25.el7_9.x86_64 cpanel-perl-532-crypt-openssl-bignum-0.09-1.cp1198.x86_64 cpanel-perl-532-crypt-openssl-dsa-0.19-1.cp1198.x86_64 cpanel-perl-532-crypt-openssl-x509-1.813-1.cp1198.x86_64
    # cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core)
    0
  • cPRex Jurassic Moderator
    Thanks for those details. While you should move off CentOS 7 in the near future, I wouldn't expect your machine to be vulnerable to this issue. Here's some details in a thread when this issue originally was discovered:
    0
  • TOne1
    • Edited

    Hi cPRex,
    my security scanner is currently flaging the same vulnerability on 6 ports and I am on Almalinux 8.9.

    Here is the output of rpm -qa | grep openssl:

    cpanel-perl-536-crypt-openssl-dsa-0.20-1.cp108~el8.x86_64
    openssl-pkcs11-0.4.10-3.el8.i686
    cpanel-perl-536-crypt-openssl-ec-1.32-1.cp108~el8.x86_64
    cpanel-perl-536-crypt-openssl-rsa-0.33-1.cp108~el8.x86_64
    openssl-devel-1.1.1k-12.el8_9.x86_64
    alt-openssl-libs-1.0.2k-2.el8.cloudlinux.10.x86_64
    openssl-pkcs11-0.4.10-3.el8.x86_64
    alt-openssl11-1.1.1w-1.el8.x86_64
    openssl-libs-1.1.1k-12.el8_9.x86_64
    compat-openssl10-1.0.2o-4.el8_6.x86_64
    openssl-libs-1.1.1k-12.el8_9.i686
    cpanel-perl-536-crypt-openssl-random-0.15-1.cp108~el8.x86_64
    alt-openssl11-libs-1.1.1w-1.el8.x86_64
    cpanel-perl-536-crypt-openssl-bignum-0.09-1.cp108~el8.x86_64
    openssl-1.1.1k-12.el8_9.x86_64
    cpanel-perl-536-crypt-openssl-x509-1.914-1.cp108~el8.x86_64
    ea-openssl11-1.1.1m-1.1.2.cpanel.x86_64

    cat /etc/redhat-release
    AlmaLinux release 8.9 (Midnight Oncilla)

    How can I get rid of those?

    Best,

    T1

     

     

     

    0
  • cPRex Jurassic Moderator

    TOne1 - you'll likely need to create a changelog on your system and show that to the security scanning company as these are patched in modern systems.  You can do that with the following command:

    rpm -q openssl --changelog > output.txt

    and then you can place the output.txt file somewhere public on your server or download that as you wish.

    0
  • password1234

    That's right it's an old CVE yet the issue has to do with a setting (not if the current openssl has been patched or host is on latest OS). For cPanel hosted pages, specifically ports 2083, 2087, 2096 (cPanel, WHM, Webmail pages) on host running AlmaLinux 8.10 (OpenSSL 1.1.1k  FIPS 25 Mar 2021) they continue to fail over the years with finding SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094). Same as amstel and TOne1 have reported.

    For the record, OpenVAS reported this detection result and insight over the weekend:

    Detection Result
    The following indicates that the remote SSL/TLS service is affected:

    Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection
    ----------------------------------------------------------------------------------------------------------------------------------
    TLSv1.2          | 10

    Insight
    The flaw exists because the remote SSL/TLS service does not
    properly restrict client-initiated renegotiation within the SSL and TLS protocols.

    See how OpenVAS successfully client renegotiated 10 times on an existing TLSv1.2 connection on  an up to date openssl and OS - that is a the DoS vulnerability - the HTTPS software is not restricting client initiated renegotiation. This same scan done on the load balancer in front of port 80/443 is clean of this finding (the load balancer is not in front of the above mentioned ports). Thus, as far as I can tell the question still stands: How to turn off client-initiated renegotiation within SSL/TLS for cPanel hosted ports 2083, 2087, 2096 and maybe other ports (maybe something related to SSL_set_options(s, SSL_OP_NO_RENEGOTIATION);)

    NOTE One way to test via command line is the following command and look for text Secure Renegotiation IS supported or enter R+enter to see if client initiated renegotiation is successfull.

    $ openssl s_client -tls1_2 HOST:PORT

    ...

    Secure Renegotiation IS supported

    ...

    ---

    R[ENTER]
    RENEGOTIATING

     

    0
  • cPRex Jurassic Moderator

    password1234 - any chance you could create a ticket with that report so we could see it in action?

    0
  • cPRex Jurassic Moderator

    Update - our team did investigate this a while back and confirmed that this vulnerability is not possible under TLS 1.3, so this would not affect currently installations.  The only possible cPanel issue would be older systems, such as CentOS 7 on version 110 in some instances.

    There are some scanning tools online that show this CVE, which is from 2011, is still an issue when it really isn't.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post