cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2766
Views
5
Helpful
4
Replies

CVE-2012-4929 vulnerability for Cisco Ironport ESA

bs-telecom
Level 1
Level 1

Dear Community,

it seems that vulnerability test engine from Qualys is discovering a smtp server vulnerability on TLS on one of our Cisco Ironport appliances. It is the CRIME compression exploitation numbered CVE-2012-4929.

From our understanding there is no really a vulnerability for the SMTP service, but only for web servers running TLS/SSL compression.

Still, there is a vulnerable open point for audit purposes that we would like to correct.

Given this, I have a couple of questions for the whole community:

1) Is this any considerable risk for the service running SMTP with this vulnerability? If yes, how to consider the CVSS score or grade?

2) Is there any specific way for the AsyncOS version 9.1.1 or later, to disengage the vulnerability?

Thanks for your precious help in advance.

Best regards.

Cristian

4 Replies 4

Raed Boshmaf
Cisco Employee
Cisco Employee

Hi Cristian,

Check the following BUG OpenSSL -- TLS 1.1, 1.2 denial of service vulnerability CVE-2012-4929 is assigned with it, and the BUG report says that 8.0.1-023 is a Known Fixed Release, so newer GD releases shouldn't have this issue too.

Regards

Raed

A Qualys test engine also detected this vulnerability on our ESA C370. At that time we were running 8.5.7-042. That version is a later version that the fixed version 8.0.1-023.

So, being a later version doesn't guarantee that previous fixes are also included.

We are now running version 9.6.0-051

regards Henk

Hello all,

We have more info on the CRIME Vulnerability for the ESA here : CSCum72269

Right now, due to the specific chain of events that it takes to exploit this vulnerability, we do not have any current plans for disabling TLS compression.

To prevent any possibility of exploit, you'll want to make sure you're using a non-TLS compression enabled browser when performing administration of the ESA (most browsers today do not support TLS compression - and have not in some time). You may also wish to restrict administrative access on an IP basis, which can be done by using the 'adminaccessconfig' command from the CLI.

Thanks!

-Dennis M.

Hi, I got the same problem where Qualys flags ESA as being vulnerable to CRIME on SMTP port 25.

 

According to your response, you mentioned securing the admin's browser. However, isn't this a problem with the SMTP server, instead of the web interface?

 

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: