Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SecuirtyMetrics failure One I have never seen - MiTM Plaintext Data Inject?

Discussion in 'Security' started by jols, Jan 16, 2013.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
    We get this failure with a high number TCP port, along with the following comments, in part:

    ------------------------
    Description: SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

    Synopsis: The remote service allows insecure renegotiation of TLS / SSL connections.Impact: The remote service encrypts traffic using TLS / SSL but allows a client toinsecurely renegotiate the connection after the initial handshake. An unauthenticated,remote attacker may be able to leverage this issue to inject an arbitrary amount ofplaintext into the beginning of the application protocol stream, which could facilitateman-in-the-middle attacks...

    See also : http://www.ietf.org/mail- archive/web/tls/current/msg03948.htmlhttp://www.kb.cert.org/vuls/id/120541 http://www.g-sec.lu/practicaltls.pdfhttp://tools.ietf.org/html/rfc5746 Data Received: TLSv1 supports insecurerenegotiation. SSLv3 supports insecure renegotiation. Resolution: Contact the vendorfor specific patch information.
    ------------------------

    Any ideas of how we could plug this one up?

    Thanks for any assistance.
     
    #1 jols, Jan 16, 2013
  2. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    146
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    new york
    For version Centos 5.x - If you have latest openssl ver 9.8e you are fine - it's a false postive.

    This is fixed in CVE-2009-3555
    * Do Feb 18 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-14
    - fix CVE-2009-3555 - support the safe renegotiation extension and
    do not allow legacy renegotiation on the server by default (#533125)
    The highest version of openssl for Centos 5.x is ver 9.8e.

    All versions starting with 0.98m and higher of openssl are fixed and a setting ( SSLInsecureRenegotiation ) is added in Apache 2.2.15 which defaults to off.
     
    #2 vincentg, Feb 28, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - SecuirtyMetrics failure never
  1. mvandemar

    Pending Publication [CPANEL-24359] Inaccurate service failure notifications sent out when license is not valid

    mvandemar, Dec 16, 2018 at 9:32 PM, in forum: E-mail Discussion
    Replies:
    2
    Views:
    120
    cPanelMichael
    Dec 17, 2018 at 12:14 PM
  2. Zahra95

    Exceeded the max defers and failures per hour error

    Zahra95, Dec 16, 2018 at 5:09 AM, in forum: E-mail Discussion
    Replies:
    3
    Views:
    141
    cPanelLauren
    Dec 18, 2018 at 11:39 AM
  3. Julia_M123

    IMAP & Exim Failures

    Julia_M123, Dec 14, 2018 at 12:14 AM, in forum: E-mail Discussion
    Replies:
    3
    Views:
    291
    cPanelMichael
    Dec 17, 2018 at 3:27 PM
  4. Seyed

    Webmail Login Failure | Correct login information

    Seyed, Dec 13, 2018 at 10:53 PM, in forum: E-mail Discussion
    Replies:
    19
    Views:
    354
    cPanelMichael
    Dec 17, 2018 at 1:57 PM
  5. greektranslator

    SOLVED Service failures after upgrading system to CentOS version 7.6

    greektranslator, Dec 4, 2018, in forum: General Discussion
    Replies:
    51
    Views:
    3,096
    Infopro
    Dec 15, 2018 at 12:09 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice