|Email Plug-in (Reporting):||184.108.40.206|
|Email Plug-in (Encryption):||220.127.116.11|
it seems that vulnerability test engine from Qualys is discovering a smtp server vulnerability on TLS on one of our Cisco Ironport appliances. It is the CRIME compression exploitation numbered CVE-2012-4929.
From our understanding there is no really a vulnerability for the SMTP service, but only for web servers running TLS/SSL compression.
Still, there is a vulnerable open point for audit purposes that we would like to correct.
Given this, I have a couple of questions for the whole community:
1) Is this any considerable risk for the service running SMTP with this vulnerability? If yes, how to consider the CVSS score or grade?
2) Is there any specific way for the AsyncOS version 9.1.1 or later, to disengage the vulnerability?
Thanks for your precious help in advance.
Check the following BUG OpenSSL -- TLS 1.1, 1.2 denial of service vulnerability CVE-2012-4929 is assigned with it, and the BUG report says that 8.0.1-023 is a Known Fixed Release, so newer GD releases shouldn't have this issue too.
A Qualys test engine also detected this vulnerability on our ESA C370. At that time we were running 8.5.7-042. That version is a later version that the fixed version 8.0.1-023.
So, being a later version doesn't guarantee that previous fixes are also included.
We are now running version 9.6.0-051
We have more info on the CRIME Vulnerability for the ESA here : CSCum72269
Right now, due to the specific chain of events that it takes to exploit this vulnerability, we do not have any current plans for disabling TLS compression.
To prevent any possibility of exploit, you'll want to make sure you're using a non-TLS compression enabled browser when performing administration of the ESA (most browsers today do not support TLS compression - and have not in some time). You may also wish to restrict administrative access on an IP basis, which can be done by using the 'adminaccessconfig' command from the CLI.
Hi, I got the same problem where Qualys flags ESA as being vulnerable to CRIME on SMTP port 25.
According to your response, you mentioned securing the admin's browser. However, isn't this a problem with the SMTP server, instead of the web interface?