EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS Protocol Session Renegotiation Security Vulnerability

#24557
Posted: 04/10/2013 17:05:48
by Darian Miller (Standard support level)
Joined: 06/27/2011
Posts: 49

A new web scanner was installed that throws the warning below on an Indy HTTPS server using SBB9 transport. Have you seen this before? Is there a workaround/fix available?

Thanks


Threat Name ID Port Risk
TLS Protocol Session Renegotiation Security Vulnerability misc_opensslrenegotiation 443/TCP medium

IMPACT
The vulnerability allows man-in-the-middle attack.

REFERENCE
The Multiple Vendor TLS Protocol Session Renegotiation Security vulnerability was reported in
[http://www.securityfocus.com/bid/36935/] Bugtraq ID 36935.

BACKGROUND
N/A

PROBLEM
Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which
allows man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a
server in a post-renegotiation context.

RESOLUTION
For OpenSSL, [http://www.openssl.org/source/] upgrade to
0.9.8l or higher.
For Microsoft IIS web servers, install the appropriate patch available through
[http://technet.microsoft.com/en-us/security/bulletin/MS10-049]
Microsoft Security Bulletin 10-049.
For other types of products, consult the product
documentation.

INFORMATION FROM TARGET
Service: 443:TCP Session Renegotiation succeeded on 443:TCP
#24560
Posted: 04/11/2013 01:48:35
by Ken Ivanov (Team)

Hello Darian,

Please have a look at this knowledgebase article, it explains in detail what to do to make your code secure with regard to the renegotiation vulnerability.

Reply

Statistics

Topic viewed 2196 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!