Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-5094

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-5094
Last Modified 18 Jun 2012 12:00:00
Published 16 Jun 2012 05:55:02
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-5094

Summary

** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.

Vulnerable Systems

Application

  • Mozilla Network Security Services 3.11.2

  • Mozilla Network Security Services 3.11.3

  • Mozilla Network Security Services 3.11.4

  • Mozilla Network Security Services 3.11.5

  • Mozilla Network Security Services 3.2

  • Mozilla Network Security Services 3.2.1

  • Mozilla Network Security Services 3.3

  • Mozilla Network Security Services 3.3.1

  • Mozilla Network Security Services 3.3.2

  • Mozilla Network Security Services 3.4

  • Mozilla Network Security Services 3.4.1

  • Mozilla Network Security Services 3.4.2

  • Mozilla Network Security Services 3.5

  • Mozilla Network Security Services 3.6

  • Mozilla Network Security Services 3.6.1

  • Mozilla Network Security Services 3.7

  • Mozilla Network Security Services 3.7.1

  • Mozilla Network Security Services 3.7.2

  • Mozilla Network Security Services 3.7.3

  • Mozilla Network Security Services 3.7.5

  • Mozilla Network Security Services 3.7.7

  • Mozilla Network Security Services 3.8

  • Mozilla Network Security Services 3.9


References

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=707065

MLIST - [oss-security] 20110708 SSL renegotiation DoS CVE-2011-1473

MLIST - [tls] 20110318 Re: SSL Renegotiation DOS

MLIST - [tls] 20110315 Re: SSL Renegotiation DOS

MLIST - [tls] 20110315 SSL Renegotiation DOS

MISC - http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html

MISC - http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

MISC - http://orchilles.com/2011/03/ssl-renegotiation-dos.html


Last Updated: 27 May 2016 10:56:31