73894 : Multiple Vendor SSL/TLS Implementation Renegotiation DoS
Printer | http://osvdb.org/73894 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
30	3187	about 2 years ago	about 1 month ago	8 times	70%

Timeline

Disclosure Date
2011-03-16

Description

Multiple products contain a flaw that may allow a remote denial of service. The issue is triggered when a malicious client requests multiple SSL/TLS renegotations, and will result in loss of availability for the service.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Workaround
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: Disable TLS/SSL renegotiation.

Products

Unknown or Incomplete

References

CVE ID: 2011-1473 (see also: NVD)
Secunia Advisory ID: 47188 49402 53065
Bugtraq ID: 48626
Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03315912
http://www.ibm.com/support/docview.wss?uid=swg21631322
https://hermes.opensuse.org/messages/12869344
Other Advisory URL: http://orchilles.com/2011/03/ssl-renegotiation-dos.html [ Auth Req'd ]
http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
http://www.ietf.org/mail-archive/web/tls/current/msg07564.html
http://www.ietf.org/mail-archive/web/tls/current/msg07567.html
http://www.ietf.org/mail-archive/web/tls/current/msg07576.html
http://www.ietf.org/mail-archive/web/tls/current/msg07577.html
http://www.openwall.com/lists/oss-security/2011/07/08/2
Packet Storm: http://packetstormsecurity.org/files/113582/HP-Security-Bulletin-HPSBMU02776-SSRT100852.html
Generic Exploit URL: http://www.thc.org/thc-ssl-dos/thc-ssl-dos-1.4.tar.gz

Tools & Filters

	53491

Credit

Unknown or Incomplete

CVSSv2 Score

CVSSv2 Base Score = 5.0
Source: nvd.nist.gov | Generated: 2012-06-18 | Disagree? | There are 1 more: View All

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.