SecuirtyMetrics failure One I have never seen - MiTM Plaintext Data Inject?

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
We get this failure with a high number TCP port, along with the following comments, in part:

------------------------
Description: SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Synopsis: The remote service allows insecure renegotiation of TLS / SSL connections.Impact: The remote service encrypts traffic using TLS / SSL but allows a client toinsecurely renegotiate the connection after the initial handshake. An unauthenticated,remote attacker may be able to leverage this issue to inject an arbitrary amount ofplaintext into the beginning of the application protocol stream, which could facilitateman-in-the-middle attacks...

See also : http://www.ietf.org/mail- archive/web/tls/current/msg03948.htmlhttp://www.kb.cert.org/vuls/id/120541 http://www.g-sec.lu/practicaltls.pdfhttp://tools.ietf.org/html/rfc5746 Data Received: TLSv1 supports insecurerenegotiation. SSLv3 supports insecure renegotiation. Resolution: Contact the vendorfor specific patch information.
------------------------

Any ideas of how we could plug this one up?

Thanks for any assistance.
 

vincentg

Well-Known Member
May 12, 2004
159
4
168
new york
For version Centos 5.x - If you have latest openssl ver 9.8e you are fine - it's a false postive.

This is fixed in CVE-2009-3555
* Do Feb 18 2010 Tomas Mraz <[email protected]> 0.9.8e-14
- fix CVE-2009-3555 - support the safe renegotiation extension and
do not allow legacy renegotiation on the server by default (#533125)
The highest version of openssl for Centos 5.x is ver 9.8e.

All versions starting with 0.98m and higher of openssl are fixed and a setting ( SSLInsecureRenegotiation ) is added in Apache 2.2.15 which defaults to off.