Deployment Architecture

SplunkForwarder & TLS CRIME Vulnerabiliy

Path Finder

Hello,

since October 2012 our Nessus environment list a "TLS Crime Vulnerability" on all our Windows Server who have the (currently 5.0.1) Splunk Forwarder installed. Can that be solved via config (e.g. disable disable compression and / or the SPDY service)? If yes how?


Synopsis: The remote service has a configuration that may make it vulnerable to the CRIME attack.

Description
The remote service has one of two configurations that are known to be required for the CRIME attack:


 - SSL / TLS compression is enabled.


- TLS advertises the SPDY protocol earlier than version 4.


Note that Nessus did not attempt to launch the CRIME attack against the remote service.

Solution
Disable compression and / or the SPDY service.



See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

http://www.nessus.org/u?a1e45597



Risk Factor: Medium


CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Temporal Score
3.6 (CVSS2#E:F/RL:OF/RC:C)



Plugin Output

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

 - SSL / TLS compression is enabled.



CVE
CVE-2012-4929
CVE-2012-4930

BID
55704
55707

Cross-References

OSVDB:85926
OSVDB:85927


Vulnerability Publication Date: 2012/09/15


Plugin Publication Date: 2012/10/16


Plugin Last Modification Date: 2012/10/22


Public Exploit Available: True



Legend

Path Finder

Some months passed now and the issue is still open (also with version 5.0.3) did somebody found a configuration that solve the issue?

0 Karma

Path Finder

Thanks for the link, but from my side it refers more to the Splunk Server rather then the splunk forwarder client.

0 Karma