Búsqueda de    
Vulnerabilidad   
    Buscar 172616 Descripciones CVE y
81291 Descripciones de Pruebas,
accesos 10,000+ referencias cruzadas.
Pruebas   CVE   Todos  

ID de Prueba:1.3.6.1.4.1.25623.1.0.841494
Categoría:Ubuntu Local Security Checks
Título:Ubuntu Update for openssl USN-1898-1
Resumen:The remote host is missing an update for the 'openssl'; package(s) announced via the referenced advisory.
Descripción:Summary:
The remote host is missing an update for the 'openssl'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The TLS protocol 1.2 and earlier can encrypt compressed data without
properly obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext content by observing
length differences during a series of guesses in which a provided string
potentially matches an unknown string in encrypted and compressed traffic.
This is known as a CRIME attack in HTTP. Other protocols layered on top of
TLS may also make these attacks practical.

This update disables compression for all programs using SSL and TLS
provided by the OpenSSL library. To re-enable compression for programs
that need compression to communicate with legacy services, define the
variable OPENSSL_DEFAULT_ZLIB in the program's environment.

Affected Software/OS:
openssl on Ubuntu 13.04,
Ubuntu 12.10,
Ubuntu 12.04 LTS,
Ubuntu 10.04 LTS

Solution:
Please Install the Updated Packages.

CVSS Score:
2.6

CVSS Vector:
AV:N/AC:H/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-4929
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
BugTraq ID: 55704
http://www.securityfocus.com/bid/55704
Debian Security Information: DSA-2579 (Google Search)
http://www.debian.org/security/2012/dsa-2579
Debian Security Information: DSA-2627 (Google Search)
http://www.debian.org/security/2013/dsa-2627
Debian Security Information: DSA-3253 (Google Search)
http://www.debian.org/security/2015/dsa-3253
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
HPdes Security Advisory: HPSBUX02866
http://marc.info/?l=bugtraq&m=136612293908376&w=2
HPdes Security Advisory: SSRT101139
http://jvn.jp/en/jp/JVN65273415/index.html
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
http://news.ycombinator.com/item?id=4510829
http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor
http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512
http://www.ekoparty.org/2012/thai-duong.php
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
https://gist.github.com/3696912
https://github.com/mpgn/CRIME-poc
https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920
RedHat Security Advisories: RHSA-2013:0587
http://rhn.redhat.com/errata/RHSA-2013-0587.html
SuSE Security Announcement: openSUSE-SU-2012:1420 (Google Search)
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
SuSE Security Announcement: openSUSE-SU-2013:0143 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html
SuSE Security Announcement: openSUSE-SU-2013:0157 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html
http://www.ubuntu.com/usn/USN-1627-1
http://www.ubuntu.com/usn/USN-1628-1
http://www.ubuntu.com/usn/USN-1898-1
CopyrightCopyright (c) 2013 Greenbone Networks GmbH

Esta es sólo una de 81291 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.

Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.




© 1998-2020 E-Soft Inc. Todos los derechos reservados.