OpenBMC and https Vulnerable issue.
Bruce Mitchell
Bruce_Mitchell at phoenix.com
Thu Nov 7 09:18:52 AEDT 2019
> -----Original Message-----
> From: openbmc [mailto:openbmc-
> bounces+bruce_mitchell=phoenix.com at lists.ozlabs.org] On Behalf Of
> James Feist
> Sent: Wednesday, November 6, 2019 13:52
> To: Bruce Mitchell; OpenBMC Maillist
> Subject: Re: OpenBMC and https Vulnerable issue.
>
> On 11/6/19 11:31 AM, Bruce Mitchell wrote:
> > From my investigations on TLS there seems to be 2 issues that could be
> corrected with OpenBMC's https:
> > 1 Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS
> threat
>
> This CVE is disputed https://www.cvedetails.com/cve/CVE-2011-1473/ due
> to CPU consumption issues that might make it easier to cause a DOS
> (which is arguably already not that difficult on a BMC). That being said
> the fix is a 1 liner, so I implemented it and it seems to work, but I
> need to see if there are any consequences.
>
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/26992
>
>
>
> > 2 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE,
> uses cipher block chaining (CBC) ciphers with TLS
> > and xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 521 AES 128
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>
> Based on this https://wiki.crashtest-security.com/prevent-ssl-lucky13,
> we are using the recommended ciphers,
> https://github.com/openbmc/bmcweb/blob/1f8c7b5d6a679a38b8226106031
> 0b876079d0f8b/include/ssl_key_handler.hpp#L330.
> And based on this comment from the maintainer of test ssl, no tool can
> determine this externally, and it's just a warning:
> https://github.com/drwetter/testssl.sh/issues/1011#issuecomment-
> 372953654.
> Do you have any suggestions on if there is anything to change for this one?
>
> Thanks
>
> -James
>
Thanks James, I accept your assessment.
-Bruce
>
> >
> > Present standard of practice seems to be to not allow Secure Client-
> Initiated Renegotiation and to not allow CBC ciphers.
> >
> > Is this your understanding as well?
> >
> > Thank you!
> >
More information about the openbmc
mailing list