OpenSSL 1.1.0 < 1.1.0e Encrypt-Then-Mac Extension DoS
High Nessus Plugin ID 97328
SynopsisA service running on the remote host is affected by a denial of service vulnerability.
DescriptionAccording to its banner, the version of OpenSSL running on the remote host is 1.1.0 prior to 1.1.0e. It is, therefore, affected by a denial of service vulnerability that is triggered during a renegotiation handshake in which the Encrypt-Then-Mac extension is negotiated when it was not in the original handshake or vice-versa. An unauthenticated, remote attacker can exploit this issue to cause OpenSSL to crash, depending on which cipher suite is being used. Note that both clients and servers are affected.
SolutionUpgrade to OpenSSL version 1.1.0e or later.