Skip to content

SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) #538

New issue
New issue
Open
Open
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)#538
Assignees
callum-kirby
Labels
build issue
@eclhmf

Description

@eclhmf
eclhmf
opened on Jan 25, 2023

Hi,
during the security audit of our REST-API, which uses the restbed library, a vulnerability regarding SSL/TLS occurred.
The following CVEs are referenced:

  • CVE-2011-1473
  • CVE-2011-5094
    TLDR; An attacker can perform a computational DoS attack by performing many renegotiations within a single connection.

I have not found a way in the API (https://github.com/Corvusoft/restbed/blob/master/documentation/API.md#sslsettings) to limit renegotiations nor to disable them at all.

libraries:

  • restbed 4.8
  • openssl 1.1.1

Additional reference:
https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation

Metadata

Metadata

Assignees

Labels

build issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions