Vulnerability Details : CVE-2011-5094
Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
Vulnerability category: Denial of service
Products affected by CVE-2011-5094
- cpe:2.3:a:mozilla:network_security_services:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.11.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-5094
3.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-5094
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
References for CVE-2011-5094
-
http://www.ietf.org/mail-archive/web/tls/current/msg07576.html
Archive
-
http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
TLS computational DoS mitigation | Vincent Bernat
-
http://orchilles.com/2011/03/ssl-renegotiation-dos.html
Jorge Orchilles | Page not found
-
http://www.openwall.com/lists/oss-security/2011/07/08/2
oss-security - SSL renegotiation DoS CVE-2011-1473
-
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
Archive
-
http://www.ietf.org/mail-archive/web/tls/current/msg07564.html
Archive
-
http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
SSL/TLS and Computational DoS - Educated Guesswork
-
https://bugzilla.redhat.com/show_bug.cgi?id=707065
707065 – (CVE-2011-1473) CVE-2011-1473 openssl: DoS via repeated SSL session renegotiations
-
http://www.ietf.org/mail-archive/web/tls/current/msg07577.html
Archive
-
http://www.ietf.org/mail-archive/web/tls/current/msg07567.html
Archive
Jump to