Dear Community,
it seems that vulnerability test engine from Qualys is discovering a smtp server vulnerability on TLS on one of our Cisco Ironport appliances. It is the CRIME compression exploitation numbered CVE-2012-4929.
From our understanding there is no really a vulnerability for the SMTP service, but only for web servers running TLS/SSL compression.
Still, there is a vulnerable open point for audit purposes that we would like to correct.
Given this, I have a couple of questions for the whole community:
1) Is this any considerable risk for the service running SMTP with this vulnerability? If yes, how to consider the CVSS score or grade?
2) Is there any specific way for the AsyncOS version 9.1.1 or later, to disengage the vulnerability?
Thanks for your precious help in advance.
Best regards.
Cristian
