CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
65.1%
The TLS/SPDY protocols are prone to an information-disclosure vulnerability.
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.108094");
script_version("2024-09-27T05:05:23+0000");
script_cve_id("CVE-2012-4929", "CVE-2012-4930");
script_tag(name:"cvss_base", value:"2.6");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:N/A:N");
script_tag(name:"last_modification", value:"2024-09-27 05:05:23 +0000 (Fri, 27 Sep 2024)");
script_tag(name:"creation_date", value:"2017-03-09 16:00:00 +0100 (Thu, 09 Mar 2017)");
script_name("SSL/TLS: TLS/SPDY Protocol Information Disclosure Vulnerability (CRIME)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2017 Greenbone AG");
script_family("SSL and TLS");
script_dependencies("gb_ssl_tls_version_get.nasl", "gb_tls_npn_alpn_detect.nasl");
script_require_ports("Services/www", 443);
script_mandatory_keys("ssl_tls/port");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/55704");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/55707");
script_xref(name:"URL", value:"http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729");
script_xref(name:"URL", value:"https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/details-on-the-crime-attack/");
script_tag(name:"summary", value:"The TLS/SPDY protocols are prone to an information-disclosure vulnerability.");
script_tag(name:"solution", value:"Disable TLS compression in the configuration of this services. If SPDY below 4 is used upgrade
the webserver to a version which supports the successor protocol SPDY/4 or HTTP/2.
Please see the references for more resources supporting you with this task.");
script_tag(name:"impact", value:"A man-in-the-middle attacker can exploit this issue to gain access to
sensitive information that may aid in further attacks.");
script_tag(name:"affected", value:"Services enabling TLS compression or supporting the SPDY protocol below SPDY/4 via HTTPS.");
script_tag(name:"solution_type", value:"Mitigation");
script_tag(name:"qod_type", value:"remote_app");
exit(0);
}
include("mysql.inc");
include("http_func.inc");
include("port_service_func.inc");
include("misc_func.inc");
include("list_array_func.inc");
include("byte_func.inc");
include("ssl_funcs.inc");
comp_report = 'The remote service might be vulnerable to the "CRIME" attack because it provides the following TLS compression methods:\n\nProtocol:Compression Method\n';
npn_report = 'The remote service might be vulnerable to the "CRIME" attack because it advertises support for the following vulnerable Network Protocol(s) via the NPN extension:\n\nSSL/TLS Protocol:Network Protocol\n';
alpn_report = 'The remote service might be vulnerable to the "CRIME" attack because it advertises support for the following vulnerable Network Protocol(s) via the ALPN extension:\n\nSSL/TLS Protocol:Network Protocol\n';
port = http_get_port( default:443, ignore_broken:TRUE, ignore_cgi_disabled:TRUE );
## Exit on non-ssl http port
if( get_port_transport( port ) < ENCAPS_SSLv23 ) exit( 0 );
if( ! versions = get_supported_tls_versions( port:port, min:SSL_v3 ) ) exit( 0 );
foreach version( versions ) {
if( version == TLS_13 ) continue;
# First check the TLS compression
foreach compression_method( make_list( "DEFLATE", "LZS" ) ) {
hello_done = FALSE;
soc = open_ssl_socket( port:port );
if( ! soc ) continue;
hello = ssl_hello( port:port, version:version, compression_method:compression_method );
if( ! hello ) {
close( soc );
continue;
}
send( socket:soc, data:hello );
while( ! hello_done ) {
data = ssl_recv( socket:soc );
if( ! data ) {
close( soc );
break;
}
# Jump out if we're getting an ALERT (e.g. SSLv3_ALERT_DECODE_ERROR)
record = search_ssl_record( data:data, search:make_array( "content_typ", SSLv3_ALERT ) );
if( record ) {
close( soc );
break;
}
record = search_ssl_record( data:data, search: make_array( "handshake_typ", SSLv3_SERVER_HELLO ) );
if( record ) {
# The server will choose the asked compression or fail earlier with the DECODE_ERROR
if( record['compression_method'] == ord( compression_methods[compression_method] ) ) {
comp_vuln = TRUE;
comp_report += version_string[version] + ":" + compression_method + '\n';
}
}
record = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_SERVER_HELLO_DONE ) );
if( record ) {
hello_done = TRUE;
break;
}
}
}
}
foreach version( versions ) {
if( ! SSL_VER = version_kb_string_mapping[version] ) continue;
# This is the supported list gathered via NPN
npn_prot_list = get_kb_list( "tls_npn_prot_supported/" + SSL_VER + "/" + port );
foreach npn_prot( npn_prot_list ) {
if( npn_prot =~ "spdy/[1-3]" ) {
npn_vuln = TRUE;
npn_report += version_string[version] + ":" + npn_alpn_name_mapping[npn_prot] + '\n';
}
}
# This is the supported list gathered via ALPN
alpn_prot_list = get_kb_list( "tls_alpn_prot_supported/" + SSL_VER + "/" + port );
foreach alpn_prot( alpn_prot_list ) {
if( alpn_prot =~ "spdy/[1-3]" ) {
alpn_vuln = TRUE;
alpn_report += version_string[version] + ":" + npn_alpn_name_mapping[alpn_prot] + '\n';
}
}
}
if( comp_vuln || npn_vuln || alpn_vuln ) {
if( comp_vuln ) report += comp_report;
if( npn_vuln ) report += '\n' + npn_report;
if( alpn_vuln ) report += '\n' + alpn_report;
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );