Hello,
since October 2012 our Nessus environment list a "TLS Crime Vulnerability" on all our Windows Server who have the (currently 5.0.1) Splunk Forwarder installed. Can that be solved via config (e.g. disable disable compression and / or the SPDY service)? If yes how?
Synopsis: The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack:
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the remote service.
Solution
Disable compression and / or the SPDY service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.nessus.org/u?a1e45597
Risk Factor: Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#E:F/RL:OF/RC:C)
Plugin Output
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :
- SSL / TLS compression is enabled.
CVE
CVE-2012-4929
CVE-2012-4930
BID
55704
55707
Cross-References
OSVDB:85926
OSVDB:85927
Vulnerability Publication Date: 2012/09/15
Plugin Publication Date: 2012/10/16
Plugin Last Modification Date: 2012/10/22
Public Exploit Available: True
Have a look at the official answer here: http://splunk-base.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vu...
Some months passed now and the issue is still open (also with version 5.0.3) did somebody found a configuration that solve the issue?
Thanks for the link, but from my side it refers more to the Splunk Server rather then the splunk forwarder client.