Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This article provides information to advise security conscious customers on how to mitigate the potential risk of the TLS CRIME Vulnerability on ESXi and ESX. (CVE-2012-4929 and CVE-2012-4930)
CRIME was disclosed on September 15, 2012 by the authors of the BEAST vulnerability. Its signature has since been added to vulnerability scanners such as Nessus that check for SSL/TLS compression over HTTPS.Notes: To date there have been no reports of a successful CRIME attack against any VMware product. The attack must be done manually, so scanners simply check for the possibility of exploitation.Attack RequirementsNote: For the attack to even be attempted, all of these requirements must be met: An administrator must have an active HTTPS session to the host's web page. Traffic between VMware products, such as the vSphere Client and vCenter Server, are not affected. The attacker must have control of the administrator's browser. Typically, this means that the administrator's workstation has been compromised. The attacker must be able to sniff the network traffic between the administrator's browser and web server. Again, there is a compromise for this to be possible. Both the administrator's browser and the web server must support compression.
All major web browsers have either been patched or do not support SSL/TLS compression at all. Because of this, the industry standard is to disable compression at the client level.Ensure that administrators who will actively connect to a host's web page use these browser versions or higher: Internet Explorer: No versions of IE support SSL/TLS Compression Chrome: 21.0.1180.89 Firefox: 15.0.1 Opera: 12.01 Safari: 5.1.7vRealize Operations Manager (formerly known as vCenter Operations Manager)It has been confirmed that CRIME is ineffective against vRealize Operations Manager 5.6 and higher. The TLS CRIME vulnerability appears to be isolated to the use of the libqt4 libraries for compression. For more information, see the Novell CVE-2012-4929 page.In vRealize Operations Manager 5.6 and higher, the use of SSL compression in Apache2 does not leverage libqt4 (libqt4 is not installed) or the SPDY service (mod_spdy) so the finding is a false positive.Note: The preceding link was correct as of February 19, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.If this is not satisfactory due to compliance-related reasons, you can completely disable web services. For more information, see: Disabling the Web Access log in page, MOB, and Datastore Browser on an ESX or ESXi host (1016039). Disabling the vSphere Web Access service in vCenter Server (1009420).
For information on recommended hardening guides, see Security Advisories, Certifications & Guides.Disabling the vSphere Web Access service in vCenter ServerDisabling the Web Access log in page, MOB, and Datastore Browser on an ESX or ESXi hostTLS Crime 脆弱性(CVE-2012-4929 および CVE-2012-4930)の軽減TLS CRIME 漏洞的缓解(CVE-2012-4929 和 CVE-2012-4930)