lighttpd using vulnerable cipher suites with SNI

2013-11-04 / 2013-11-05
Credit: Nathan Bishop
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-4508
CWE: N/A


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

I'd like to request a CVE id for the following bug: Nathan Bishop <me () nbishop name> reported (http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable cipher suites when SNI is used: $HTTP["Host"] == "example.com" { ssl.pemfile = "/etc/ssl/certs/example.com.pem" } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/certs/default.pem" ssl.cipher-list = "HIGH" } This config uses the "DEFAULT" cipher list for "example.com", which includes export ciphers. More details are available at: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt Please note that the patch is not final yet, and can't be found in SVN. We're still discussing: * whether other options should work in SNI context (we could add all ssl.ca-files to all SSL_CTX instances) * whether to set a default ssl.cipher-list, and which string to pick regards, Stefan

References:

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://redmine.lighttpd.net/issues/2525
http://seclists.org/oss-sec/2013/q4/215


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top