oss-sec mailing list archives
Re: CVE requests: OpenBSD httpd - 2 DoS
From: Pierre Kim <pierre.kim.sec () gmail com>
Date: Thu, 2 Feb 2017 09:31:30 +0100
Hello,
[...]
DoS: CPU exhaustion with SSL client-initiated renegotiation,Is this a public vulnerability? It does not have any obvious match with the latest https://github.com/openbsd/src/commits/master/usr.sbin/httpd commits.
From OpenBSD team:
o High CPU usage is a well-known issue of client-initiated renegotiation. While this can cause higher than normal CPU usage, the processes are still able to service requests. As httpd uses LibreSSL's libtls, a sane TLS API on top of libssl, we decided to disable client-initiated renegotiation for libtls servers in -current. This change was already planned and has now been committed to LibreSSL. libssl http://marc.info/?l=openbsd-cvs&m=148587695222112&w=2 libtls http://marc.info/?l=openbsd-cvs&m=148587827322528&w=2
If you think it doesn't deserve a CVE, then I will publish the advisory without.
From my tests, during an attack, the httpd has some difficulties to
provide replies to clients. Regards, -- Pierre Kim pierre.kim.sec () gmail com @PierreKimSec https://pierrekim.github.io/
Current thread:
- CVE requests: OpenBSD httpd - 2 DoS Pierre Kim (Jan 31)
- Re: CVE requests: OpenBSD httpd - 2 DoS cve-assign (Feb 01)
- Re: CVE requests: OpenBSD httpd - 2 DoS Pierre Kim (Feb 02)
- Re: CVE requests: OpenBSD httpd - 2 DoS cve-assign (Feb 01)