pcsd allows TLS secure client-initiated renegotiation on port 2224
Issue
pcsdallows TLS secure client-initiated renegotiation on port 2224.- Penetration test says
pcsdmay be vulnerable to DoS attacks. - Penetration test revealed the following vulnerability:
Secure Client-Initiated Renegotiation allowed on port 2224 (Pacemaker): The remote service encrypts traffic using TLS and permits clients to renegotiate TLS connections. The handshake is only performed at the beginning of a secure connection to establish it. When TLS renegotiation is enabled on the server, a user is allowed to send a renegotiation request, which initiates a new handshake. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing at least ten times more processing power than on the client.
Environment
- Red Hat Enterprise Linux Server 6 (with the High Availability Add-on)
- Pacemaker
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.