Test ID:	1.3.6.1.4.1.25623.1.0.108094
Category:	SSL and TLS
Title:	SSL/TLS: TLS/SPDY Protocol Information Disclosure Vulnerability (CRIME)
Summary:	The TLS/SPDY protocols are prone to an information disclosure vulnerability.
Description:	Summary: The TLS/SPDY protocols are prone to an information disclosure vulnerability. Vulnerability Impact: A man-in-the-middle attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. Affected Software/OS: Services enabling TLS compression or supporting the SPDY protocol below SPDY/4 via HTTPS. Solution: Disable TLS compression in the configuration of this services. If SPDY below 4 is used upgrade the webserver to a version which supports the successor protocol SPDY/4 or HTTP/2. Please see the references for more resources supporting you with this task. CVSS Score: 2.6 CVSS Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-4929 http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html BugTraq ID: 55704 http://www.securityfocus.com/bid/55704 Debian Security Information: DSA-2579 (Google Search) http://www.debian.org/security/2012/dsa-2579 Debian Security Information: DSA-2627 (Google Search) http://www.debian.org/security/2013/dsa-2627 Debian Security Information: DSA-3253 (Google Search) http://www.debian.org/security/2015/dsa-3253 http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html HPdes Security Advisory: HPSBUX02866 http://marc.info/?l=bugtraq&m=136612293908376&w=2 HPdes Security Advisory: SSRT101139 http://jvn.jp/en/jp/JVN65273415/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html http://news.ycombinator.com/item?id=4510829 http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312 http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512 http://www.ekoparty.org/2012/thai-duong.php http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091 http://www.theregister.co.uk/2012/09/14/crime_tls_attack/ https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls https://gist.github.com/3696912 https://github.com/mpgn/CRIME-poc https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920 RedHat Security Advisories: RHSA-2013:0587 http://rhn.redhat.com/errata/RHSA-2013-0587.html SuSE Security Announcement: openSUSE-SU-2012:1420 (Google Search) http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html SuSE Security Announcement: openSUSE-SU-2013:0143 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html SuSE Security Announcement: openSUSE-SU-2013:0157 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html http://www.ubuntu.com/usn/USN-1627-1 http://www.ubuntu.com/usn/USN-1628-1 http://www.ubuntu.com/usn/USN-1898-1 Common Vulnerability Exposure (CVE) ID: CVE-2012-4930 https://bugzilla.redhat.com/show_bug.cgi?id=857737 SuSE Security Announcement: SUSE-SU-2012:1351 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html
Copyright	Copyright (C) 2017 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.