Transport Layer Security (TLS) Protocol CRIME Vulnerability

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote service has a configuration that may make it vulnerable to
the CRIME attack.

Description :

The remote service has one of two configurations that are known to be
required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the
remote service.

See also :

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?e8c92220
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

Solution :

Disable compression and / or the SPDY service.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: General

Nessus Plugin ID: 62565 ()

Bugtraq ID: 55704
55707

CVE ID: CVE-2012-4929
CVE-2012-4930