A Denial-of-Service (DoS) flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. Accordingly, the following vulnerabilities are addressed in this document that may affect the TLS/SSL data-plane of ACOS devices.
||SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS [1, 2, 3]
The table below indicates releases of ACOS exposed to these vulnerabilities and ACOS releases that address these issues or are otherwise unaffected by them.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
||Releases Resolved or Unaffected
|4.1.0 – 4.1.0-P7
|2.7.2 – 2.7.2-P9
|2.7.1-GR1 – 2.7.1-GR1-P2
|2.6.1-GR1 – 2.6.1-GR1-P16
||2.7.1-GR1-P3, 2.7.2-P10, 4.1.0-P8, 4.1.1-P1
Workarounds and Mitigations
Exposure to this vulnerability can be mitigated by configuring firewalls to limit the number of connections per IP address, or use deep packet inspection to reject this type of alert packets.
The following table shares brief descriptions for the vulnerabilities addressed in this document.
||A flaw was found in the way OpenSSL processed ALERT packets during an SSL handshake. A attacker basically sends a large number of plaintext WARNING pkgs after CLIENTHELLO, which causes OpenSSL to go into a endless loop (while the attacker keeps on sending more alert packets), consequently taking 100% CPU. This may cause certain applications compiled against OpenSSL to hang and may not be able to serve content to the clients. This is specifically true about for servers which do not for or allocate extra thread for the processing of ClientHello like nginx.