Lucene search
K

SSL/TLS: TLS/SPDY Protocol Information Disclosure Vulnerability (CRIME)

🗓️ 09 Mar 2017 00:00:00Reported by Copyright (C) 2017 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 1305 Views

SSL/TLS: TLS/SPDY Protocol Information Disclosure Vulnerability (CRIME) due to TLS compression and SPDY protocol below SPDY/

Related
Refs
Code
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.108094");
  script_version("2025-01-17T15:39:18+0000");
  script_cve_id("CVE-2012-4929", "CVE-2012-4930");
  script_tag(name:"cvss_base", value:"2.6");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:N/A:N");
  script_tag(name:"last_modification", value:"2025-01-17 15:39:18 +0000 (Fri, 17 Jan 2025)");
  script_tag(name:"creation_date", value:"2017-03-09 16:00:00 +0100 (Thu, 09 Mar 2017)");
  script_name("SSL/TLS: TLS/SPDY Protocol Information Disclosure Vulnerability (CRIME)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_family("SSL and TLS");
  script_dependencies("gb_ssl_tls_version_get.nasl", "gb_tls_npn_alpn_detect.nasl");
  script_require_ports("Services/www", 443);
  script_mandatory_keys("ssl_tls/port");

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/55704");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/55707");
  script_xref(name:"URL", value:"http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729");
  script_xref(name:"URL", value:"https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/details-on-the-crime-attack/");

  script_tag(name:"summary", value:"The TLS/SPDY protocols are prone to an information disclosure vulnerability.");

  script_tag(name:"solution", value:"Disable TLS compression in the configuration of this services. If SPDY below 4 is used upgrade
  the webserver to a version which supports the successor protocol SPDY/4 or HTTP/2.

  Please see the references for more resources supporting you with this task.");

  script_tag(name:"impact", value:"A man-in-the-middle attacker can exploit this issue to gain access to
  sensitive information that may aid in further attacks.");

  script_tag(name:"affected", value:"Services enabling TLS compression or supporting the SPDY protocol below SPDY/4 via HTTPS.");

  script_tag(name:"solution_type", value:"Mitigation");
  script_tag(name:"qod_type", value:"remote_app");

  exit(0);
}

include("mysql.inc");
include("http_func.inc");
include("port_service_func.inc");
include("misc_func.inc");
include("list_array_func.inc");
include("byte_func.inc");
include("ssl_funcs.inc");

comp_report  = 'The remote service might be vulnerable to the "CRIME" attack because it provides the following TLS compression methods:\n\nProtocol:Compression Method\n';
npn_report   = 'The remote service might be vulnerable to the "CRIME" attack because it advertises support for the following vulnerable Network Protocol(s) via the NPN extension:\n\nSSL/TLS Protocol:Network Protocol\n';
alpn_report  = 'The remote service might be vulnerable to the "CRIME" attack because it advertises support for the following vulnerable Network Protocol(s) via the ALPN extension:\n\nSSL/TLS Protocol:Network Protocol\n';

port = http_get_port( default:443, ignore_broken:TRUE, ignore_cgi_disabled:TRUE );

## Exit on non-ssl http port
if( get_port_transport( port ) < ENCAPS_SSLv23 ) exit( 0 );

if( ! versions = get_supported_tls_versions( port:port, min:SSL_v3 ) ) exit( 0 );

foreach version( versions ) {

  if( version == TLS_13 ) continue;

  # First check the TLS compression
  foreach compression_method( make_list( "DEFLATE", "LZS" ) ) {

    hello_done = FALSE;

    soc = open_ssl_socket( port:port );
    if( ! soc ) continue;

    hello = ssl_hello( port:port, version:version, compression_method:compression_method );
    if( ! hello ) {
      close( soc );
      continue;
    }

    send( socket:soc, data:hello );

    while( ! hello_done ) {

      data = ssl_recv( socket:soc );

      if( ! data ) {
        close( soc );
        break;
      }

      # Jump out if we're getting an ALERT (e.g. SSLv3_ALERT_DECODE_ERROR)
      record = search_ssl_record( data:data, search:make_array( "content_typ", SSLv3_ALERT ) );
      if( record ) {
        close( soc );
        break;
      }

      record = search_ssl_record( data:data, search: make_array( "handshake_typ", SSLv3_SERVER_HELLO ) );
      if( record ) {
        # The server will choose the asked compression or fail earlier with the DECODE_ERROR
        if( record['compression_method'] == ord( compression_methods[compression_method] ) ) {
          comp_vuln = TRUE;
          comp_report += version_string[version] + ":" + compression_method + '\n';
        }
      }

      record = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_SERVER_HELLO_DONE ) );
      if( record ) {
        hello_done = TRUE;
        break;
      }
    }
  }
}

foreach version( versions ) {

  if( ! SSL_VER = version_kb_string_mapping[version] ) continue;

  # This is the supported list gathered via NPN
  npn_prot_list = get_kb_list( "tls_npn_prot_supported/" + SSL_VER + "/" + port );
  foreach npn_prot( npn_prot_list ) {
    if( npn_prot =~ "spdy/[1-3]" ) {
      npn_vuln = TRUE;
      npn_report += version_string[version] + ":" + npn_alpn_name_mapping[npn_prot] + '\n';
    }
  }

  # This is the supported list gathered via ALPN
  alpn_prot_list = get_kb_list( "tls_alpn_prot_supported/" + SSL_VER + "/" + port );
  foreach alpn_prot( alpn_prot_list ) {
    if( alpn_prot =~ "spdy/[1-3]" ) {
      alpn_vuln = TRUE;
      alpn_report += version_string[version] + ":" + npn_alpn_name_mapping[alpn_prot] + '\n';
    }
  }
}

if( comp_vuln || npn_vuln || alpn_vuln ) {
  if( comp_vuln ) report += comp_report;
  if( npn_vuln )  report += '\n' + npn_report;
  if( alpn_vuln ) report += '\n' + alpn_report;
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jan 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 22.6
EPSS0.04266
1305