Login

pgnair · 06-23-2023, 06:09 AM

Hi Team
Please advise how to resolve the below vulnerabilities
Thanks
Pramod

SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)
SSL/TLS: Renegotiation MITM Vulnerability (CVE-2009-3555)

The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments not a security library to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw.The flaw might make it easier for remote attackers to cause a DoS (CPU consumption) by performing many renegotiations within a single connection.

pgnair · 06-26-2023, 07:56 AM

(06-23-2023, 06:09 AM)pgnair Wrote: Hi Alex
Did you get a chance to look on it please?
Thanks
Pramod

***Alexandre Machado*** · (This post was last modified: 07-04-2023, 05:11 AM by Alexandre Machado.)

Hi,

I guess you've been using Indy server here is that correct?

From the issue:

> The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state

If you are using Indy (which uses OpenSSL) this will certainly affect your application. I think, once it is in disputed state, I believe you should just inform that you are using OpenSSL to provide SSL services.

pgnair · 07-04-2023, 05:37 AM

(07-04-2023, 05:00 AM)Alexandre Machado Wrote: Hi,

I guess you've been using Indy server here is that correct?

From the issue:

> The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state

If you are using Indy (which uses OpenSSL) this will certainly affect your application. I think, once it is in disputed state, I believe you should just inform that you are using OpenSSL to provide SSL services.

>I guess you've been using Indy server here is that correct?
Yes am using Indy Server.

>If you are using Indy (which uses OpenSSL)
OpenSSL dlls are using

>I believe you should just inform that you are using OpenSSL
They might not accept such a comment. Is there any solution for this?

***Alexandre Machado*** · (This post was last modified: 07-04-2023, 05:46 AM by Alexandre Machado.)

This affects all OpenSSL versions as far as I know. I'll do some research but if this is not fixed in OpenSSL, it is a problem without solution, unless you move to Http.sys.

However, I'd like to point out that a gigantic part of Internet's HTTPS is powered by OpenSSL. I'm not convinced that these auditors consider half the world's HTTPS sites "unsafe"

pgnair · 09-26-2023, 03:37 AM

(07-04-2023, 05:46 AM)Alexandre Machado Wrote: This affects all OpenSSL versions as far as I know. I'll do some research but if this is not fixed in OpenSSL, it is a problem without solution, unless you move to Http.sys.

However, I'd like to point out that a gigantic part of Internet's HTTPS is powered by OpenSSL. I'm not convinced that these auditors consider half the world's HTTPS sites "unsafe"

Sorry to disturb you. Client forcing me to fix this medium vulnerability. Is there any fix from Openssl or any other way to fix it?

mhammady · 09-26-2023, 04:08 PM

(09-26-2023, 03:37 AM)pgnair Wrote: Sorry to disturb you. Client forcing me to fix this medium vulnerability. Is there any fix from Openssl or any other way to fix it?

I faced this problem before, and I switched the project to ISAPI to run under IIS instead of stand-alone. Another solution is to run your app behind a firewall/load balancer that is able to detect this threat

***Alexandre Machado*** · (This post was last modified: 09-27-2023, 06:56 AM by Alexandre Machado.)

You actually don't need to change it into an ISAPI app. You can still use the SA version with Http.sys base, instead of Indy. It will use the same infrastructure as IIS.

However, to @pgnair, we have just released IntraWeb 15.4.0 with OpenSSL 1.1.1 support which has several enhancements over the existing 1.0 branch. Maybe you should give it a try and see if the "warning" remains.

pgnair · 09-29-2023, 02:43 AM

(09-27-2023, 06:55 AM)Alexandre Machado Wrote: You actually don't need to change it into an ISAPI app. You can still use the SA version with Http.sys base, instead of Indy. It will use the same infrastructure as IIS.

However, to @pgnair, we have just released IntraWeb 15.4.0 with OpenSSL 1.1.1 support which has several enhancements over the existing 1.0 branch. Maybe you should give it a try and see if the "warning" remains.

Thanks Alex, will try

Login
Username:
Password:	Lost Password?
	Remember me