SSL/TLS: Renegotiation DoS Vulnerability

Operating System & Version
Centos 7
cPanel & WHM Version
version: 11.106.0.1

amstel

Active Member
Nov 18, 2015
37
4
58
UK
cPanel Access Level
Root Administrator
Hi,

I have been running a security scan on one of my website. A scanner has found that issue:
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)

Summary
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.

Insight
The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: >
It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Both CVEs are still kept in this VT as a reference to the origin of this flaw.

Solution
Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service.

Could you please advise?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Hey there! These vulnerabilities are from 2011, so it would be odd that they would exist on a modern server. Can you please provide the output of the following commands?

Code:
rpm -qa | grep openssl-

cat /etc/redhat-release
Once we see that information we can get you more details.
 
  • Like
Reactions: amstel

amstel

Active Member
Nov 18, 2015
37
4
58
UK
cPanel Access Level
Root Administrator
Hi cPRex,

Thanks for your reply. Please see the output:

# rpm -qa | grep openssl-
openssl-libs-1.0.2k-25.el7_9.x86_64
cpanel-perl-532-crypt-openssl-rsa-0.31-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-pkcs12-1.3-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-pkcs10-0.16-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-random-0.15-1.cp1198.x86_64
ea-openssl-1.0.2u-2.2.1.cpanel.x86_64
openssl-1.0.2k-25.el7_9.x86_64
cpanel-perl-532-crypt-openssl-ec-1.32-1.cp1198.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
cpanel-perl-532-crypt-openssl-bignum-0.09-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-dsa-0.19-1.cp1198.x86_64
cpanel-perl-532-crypt-openssl-x509-1.813-1.cp1198.x86_64



# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Thanks for those details. While you should move off CentOS 7 in the near future, I wouldn't expect your machine to be vulnerable to this issue. Here's some details in a thread when this issue originally was discovered:


I would ask the security scanning company specifically how they are testing this.