10-25-2012 08:27 AM - edited 03-18-2019 12:02 AM
custumer is telling me that they have found vulerability on vcs-expressway .
53491 - SSL / TLS Renegotiation DoS | [-/+] |
The remote service allows repeated renegotiation of TLS / SSL connections.
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition.
http://orchilles.com/2011/03/ssl-renegotiation-dos.html |
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html |
Contact the vendor for specific patch information.
The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3.
what can i answer ? what are solutions ?
10-26-2012 04:46 AM
is there any solution ?
10-26-2012 05:04 AM
10-26-2012 05:34 AM
test was performed with "nessus" on vcs X7.2 , so if it was fixed why it's still showing up ?
10-26-2012 05:39 AM
Can you provide a current published CVE for this?
10-26-2012 05:43 AM
10-26-2012 05:58 AM
thanks, I've emailed one of the security guys in the development team to get their thoughts on this.
10-26-2012 06:01 AM
thanks , if there will be some news about this case please write in this discussion.
10-26-2012 09:33 AM
Hello Archil,
Thank you for visiting the support community and thank you to Guy for jumping in to help answer. The better channel to direct such questions is to the PSIRT team reachable at psirt@cisco.com as they have a dedicated team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. Additional information and further contact details are available here: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
Thank you,
Paula
03-07-2013 03:24 PM
Have you received an answer on this?
Thanks
03-08-2013 01:22 AM
answer was :
---------------------------
There is no upstream fix for CVE-2011-1473 in the third-party OpenSSL library as yet.
More information about this bug can be found at: http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
In particular, the section "Is this a flaw with SSL/TLS?" discusses how this is not a significant risk (with the obvious caveat this is from a third-party security writer).
I don’t expect it to be fix anytime soon as even Redhat still has its own bug open (https://bugzilla.redhat.com/show_bug.cgi?id=707065).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide