Lucene search

PRIOn knowledge basePRION:CVE-2012-4929

HistorySep 15, 2012 - 6:55 p.m.

Design/Logic Flaw

2012-09-1518:55:00

PRIOn knowledge base

www.prio-n.com

6.6 Medium

AI Score

Confidence

Low

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

52.0%

JSON

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a “CRIME” attack.

CPENameOperatorVersion
debian_linuxeq8.0
debian_linuxeq7.0

CPE	Name	Operator	Version
	debian_linux	eq	8.0
	debian_linux	eq	7.0

References

arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html

jvn.jp/en/jp/JVN65273415/index.html

jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html

lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

lists.opensuse.org/opensuse-updates/2012-10/msg00096.html

lists.opensuse.org/opensuse-updates/2013-01/msg00034.html

lists.opensuse.org/opensuse-updates/2013-01/msg00048.html

news.ycombinator.com/item?id=4510829

rhn.redhat.com/errata/RHSA-2013-0587.html

security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

support.apple.com/kb/HT5784

threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

www.debian.org/security/2012/dsa-2579

www.debian.org/security/2013/dsa-2627

www.debian.org/security/2015/dsa-3253

www.ekoparty.org/2012/thai-duong.php

www.iacr.org/cryptodb/data/paper.php?pubkey=3091

www.securityfocus.com/bid/55704

www.theregister.co.uk/2012/09/14/crime_tls_attack/

www.ubuntu.com/usn/USN-1627-1

www.ubuntu.com/usn/USN-1628-1

www.ubuntu.com/usn/USN-1898-1

bugzilla.redhat.com/show_bug.cgi?id=857051

chromiumcodereview.appspot.com/10825183

code.google.com/p/chromium/issues/detail?id=139744

community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

gist.github.com/3696912

github.com/mpgn/CRIME-poc

lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html

marc.info/?l=bugtraq&m=136612293908376&w=2

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920

threatpost.com/en_us/blogs/demo-crime-tls-attack-091212

6.6 Medium

AI Score

Confidence

Low

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

52.0%

JSON

Related for PRION:CVE-2012-4929