EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS Protocol Session Renegotiation Security Vulnerability

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#24557
Posted: 04/10/2013 17:05:48
by Darian Miller (Standard support level)
Joined: 06/27/2011
Posts: 48

A new web scanner was installed that throws the warning below on an Indy HTTPS server using SBB9 transport. Have you seen this before? Is there a workaround/fix available?

Thanks


Threat Name ID Port Risk
TLS Protocol Session Renegotiation Security Vulnerability misc_opensslrenegotiation 443/TCP medium

IMPACT
The vulnerability allows man-in-the-middle attack.

REFERENCE
The Multiple Vendor TLS Protocol Session Renegotiation Security vulnerability was reported in
[http://www.securityfocus.com/bid/36935/] Bugtraq ID 36935.

BACKGROUND
N/A

PROBLEM
Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which
allows man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a
server in a post-renegotiation context.

RESOLUTION
For OpenSSL, [http://www.openssl.org/source/] upgrade to
0.9.8l or higher.
For Microsoft IIS web servers, install the appropriate patch available through
[http://technet.microsoft.com/en-us/security/bulletin/MS10-049]
Microsoft Security Bulletin 10-049.
For other types of products, consult the product
documentation.

INFORMATION FROM TARGET
Service: 443:TCP Session Renegotiation succeeded on 443:TCP
#24560
Posted: 04/11/2013 01:48:35
by Ken Ivanov (EldoS Corp.)

Hello Darian,

Please have a look at this knowledgebase article, it explains in detail what to do to make your code secure with regard to the renegotiation vulnerability.

Reply

Statistics

Topic viewed 2092 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!