cbcvebase.
CVE-2011-1473
published 2012-06-16

CVE-2011-1473: OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it…

PriorityP339medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
67.70%
99.2th percentile
OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
mozillanetwork_security_services
opensslopenssl<= 0.9.8k
opensslopenssl

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2011-1473 affects OpenSSL before 0.9.8l, and versions 0.9.8m through 1.x; client-initiated SSL/TLS renegotiation is not restricted, enabling CPU exhaustion DoS by performing many renegotiations within a single connection
  • For NSS-based servers, the SSL_ENABLE_RENEGOTIATION option can be set to SSL_RENEGOTIATE_NEVER to detect/block renegotiation abuse; the NSS_SSL_ENABLE_RENEGOTIATION environment variable set to 0 or 'n' can also enforce this without application changes
  • For httpd/mod_ssl deployments, client-initiated renegotiations were already rejected as a mitigation backported to RHEL packages; verify mod_ssl configuration rejects client-initiated renegotiations as a detection/prevention control
  • ·The CVE is marked DISPUTED; it can be argued that preventing renegotiation abuse is the responsibility of server deployments rather than the SSL/TLS library itself
  • ·Red Hat marked all affected OpenSSL packages (RHEL 4, 5, 6) as 'Will not fix', meaning no vendor patch is available; detection and mitigation must rely on configuration controls
  • ·OpenSSL 0.9.8l disabled renegotiation as a temporary fix for CVE-2009-3555, not specifically for this DoS; renegotiation was re-enabled in 0.9.8m with RFC5746 support, which the original reporter considered insufficient for this DoS vector

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.