restbed icon indicating copy to clipboard operation
restbed copied to clipboard
verified publisher icon Corvusoft

SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)

Open eclhmf opened this issue 3 years ago • 0 comments

Hi, during the security audit of our REST-API, which uses the restbed library, a vulnerability regarding SSL/TLS occurred. The following CVEs are referenced:

  • CVE-2011-1473
  • CVE-2011-5094 TLDR; An attacker can perform a computational DoS attack by performing many renegotiations within a single connection.

I have not found a way in the API (https://github.com/Corvusoft/restbed/blob/master/documentation/API.md#sslsettings) to limit renegotiations nor to disable them at all.

libraries:

  • restbed 4.8
  • openssl 1.1.1

Additional reference: https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation

eclhmf avatar Jan 25 '23 09:01 eclhmf