CVE-2012-4929 (Network Steve Forum)

CVE-2012-4929

We have Exchange 2013 CU5 servers in our environment on which identified CVE-2012-4929.Shall we implement the below solution

SSL/TLS Compression Algorithm Information Leakage Vulnerability

SSL/TLS protocols support and optional compression algorithm. When used compression can ease data transfer significantly.

    An information leakage was discovered related to compression algorithm use in SSL/TLS protocols. The attacker needs to have ability to submit any plain text to compression and encryption process and observe the output to be able to exploit this vulnerability.

    The attack works like this:
    the attacker who has control over a web browser that is communicating to a web site that uses SSL/TLS can send a HTTP POST request that looks like this:
    POST /login.php HTTP/1.1
    Cookie: XYZ

    Cookie:

    The first Cookie is in the HTTP header and the second one is in the body of the request.

    If compression algorithm is used it will replace the second occurrence of the string 'Cookie: ' by a reference to the first one and thus decrease the length of the string to be encrypted and eventually the output length of SSL packet. This can be observed on the network.
    The attacker can then prepare another request that contains a guess as to what the first character of the cookie is. That HTTP request looks like this:
    POST /login.php HTTP/1.1
    Cookie: XYZ

    Cookie: A
    If the guess was correct then the length of the output of compression + encryption will decrease more than if the guess was incorrect.
    Using this approach the attacker can verify their guesses and completely recover the value of the cookie.

Solution:

August 12th, 2015 7:19am

Hi,

It looks great.

We probably should disable TLS compression on the web server, if you use SSL on a highly security-sensitive site.
For most of your user base, this is not strictly necessary. Turning off TLS compression in the web server is useful only to protect the small fraction of users who are running older, vulnerable browsers.

Free Windows Admin Tool Kit Click here and download it now

August 12th, 2015 11:16pm

This topic is archived. No further replies will be accepted.

Other recent topics

Remote Administration For Windows. Easy remote access of Windows 7, XP, 2008, 2000, and Vista Computers

Click here to find out more

Reboot Hundreds of computers, disable flash drives, deploy power managements settings.

Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier

Compression algorithms should be disabled. The method of disabling it varies depending on the application you're running.
    If you're using a hardware device or software not listed here, you'll need to check the manual or vendor support options.

    For IIS SSL Compression is referred to as HTTP compression. It can be disabled from IIS configuration->Web Site->Properties->Service (tab).HTTP Compression checkboxes need to be turned off.
    For Redhat systems with Zlib Compression.
    - Set the OPENSSL_NO_DEFAULT_ZLIB environment variable can be used to disable zlib compression support.
    - Further details can be found under Bugzilla Redhat 857051. (https://bugzilla.redhat.com/show_bug.cgi?id=857051c5 )

    For other HTTP servers please check the vendors documentation on how to disable SSL compression.
    Best practices for SSL/TLS Deployment can be found at QUALYS SSL Labs. (https://www.ssllabs.com/)