Not a fix, but to shut up the PCI scan, firewall off Webmin and Usermin and limit it (by IP address) to access by just the people who need to see it.  If its not answering the PCI scan, they can't very well worry about it.

 

Sometimes the easy solution is to be invisible.

 

Dave

 

 

 

From: Fajar Priyanto [mailto:fajarpri@arinet.org]
Sent: Friday, January 04, 2013 11:24 PM
To: Webmin users list
Subject: Re: [webmin-l] Nessus says I'm vulnerable (SSL/TLS compression enabled)

 

It says in the mean time it's good to disable SSL compression in the webserver.

How can I do that with webmin webserver?

http://arstechnica.com/security/2012/09/many-ways-to-break-ssl-with-crime-attacks-experts-warn/

 

On Sat, Jan 5, 2013 at 2:49 PM, Fajar Priyanto <fajarpri@arinet.org> wrote:

Hi Jamie,

Sorry took some time for me to upgrade it. It's on 1.610 now, also I've set it to  "Use only PCI-compliant ciphers". But same result from the Nessus scan.

No workaround from Google so far :(

 

On Fri, Dec 21, 2012 at 12:09 PM, Jamie Cameron <jcameron@webmin.com> wrote:

You might want to try upgrading to Webmin 1.610. Also, at Webmin -> Webmin Configuration -> SSL Encryption, try selecting "Use only PCI-compliant ciphers"

  - Jamie

On 20/Dec/2012 17:27 Fajar Priyanto <fajarpri@arinet.org> wrote ..

Hi all,

Nessus says my Webmin 1.580 is vulnerable of CRIME attack because of TLS/SSL compression is enabled. How do I remedy it? I cannot see any options for this in configuration menu.

From Google looks like I can use SSLCompression off in httpd.conf?

 

 

This is the Nessus scan result:

TLS CRIME Vulnerability


Synopsis :

The remote service has a configuration that may make it vulnerable to
the CRIME attack.

Description :

The remote service has one of two configurations that are known to be
required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See also :

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.nessus.org/u?a1e45597

Solution :

Disable compression and / or the SPDY service.

Plugin Output :

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.

CVE :
CVE-2012-4929
CVE-2012-4930

BID :
BID 55704
BID 55707

Other References :
OSVDB:85926
OSVDB:85927

Nessus Plugin ID : 62565

 


Thank you.

--
To dream and to write ^^
http://mars.arinet.org

 

 

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list



 

--
To dream and to write ^^
http://mars.arinet.org



 

--
To dream and to write ^^
http://mars.arinet.org