SSL/TLS: Renegotiation DoS Vulnerability

Operating System & Version
Centos 7
cPanel & WHM Version
version: 11.106.0.1
amstel

amstel

Active Member
Nov 18, 2015
37
4
58
UK
cPanel Access Level
Root Administrator
Hi,

I have been running a security scan on one of my website. A scanner has found that issue:
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)

Summary
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.

Insight
The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: >
It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Both CVEs are still kept in this VT as a reference to the origin of this flaw.

Solution
Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service.

Could you please advise?
 
Last edited by a moderator:
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Hey there! These vulnerabilities are from 2011, so it would be odd that they would exist on a modern server. Can you please provide the output of the following commands?

Code: 
rpm -qa | grep openssl-

cat /etc/redhat-release
Once we see that information we can get you more details.
 
  • Like
Reactions: amstel
amstel

amstel

Active Member
Nov 18, 2015
37
4
58
UK
cPanel Access Level
Root Administrator
Hi cPRex,

Thanks for your reply. Please see the output:

# rpm -qa | grep openssl-
openssl-libs-1.0.2k-25.el7_9.x86_64
cpanel-perl-532-crypt-openssl-rsa-0.31-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-pkcs12-1.3-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-pkcs10-0.16-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-random-0.15-1.cp1198.x86_64
ea-openssl-1.0.2u-2.2.1.cpanel.x86_64
openssl-1.0.2k-25.el7_9.x86_64
cpanel-perl-532-crypt-openssl-ec-1.32-1.cp1198.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
cpanel-perl-532-crypt-openssl-bignum-0.09-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-dsa-0.19-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-x509-1.813-1.cp1198.x86_64



# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
 
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Thanks for those details. While you should move off CentOS 7 in the near future, I wouldn't expect your machine to be vulnerable to this issue. Here's some details in a thread when this issue originally was discovered:

forums.cpanel.net

TLS Renegotiation and Denial of Service Attacks

The following article was published yesterday. /http://blog.ivanristic.com/2011/10/tls-renegotiation-and-denial-of-service-attacks.html Is there a way to disable the client-initiated renegotiation in cpanel?
forums.cpanel.net forums.cpanel.net

I would ask the security scanning company specifically how they are testing this.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
K SSL/TLS Weak Key Exchange Supported? Security 6
T SSL/TLS EDIT Security 3
Spirogg In Progress CPANEL-40511 - SSL/TLS CONFIGURATION - how can we configure hostname SSL/TLS Configuration to RSA, 4,096-bit Security 4
R SSL/TLS Wizard reports HTTP DCV is wrong for wildcards Security 1
Y SSL/TLS Disabled Security 13
Similar threads
SSL/TLS Weak Key Exchange Supported?
SSL/TLS EDIT
In Progress CPANEL-40511 - SSL/TLS CONFIGURATION - how can we configure hostname SSL/TLS Configuration to RSA, 4,096-bit
SSL/TLS Wizard reports HTTP DCV is wrong for wildcards
SSL/TLS Disabled
Top Bottom