On 1/5/2013 2:34 PM, Dave Overton wrote:

Not a fix, but to shut up the PCI scan, firewall off Webmin and Usermin and limit it (by IP address) to access by just the people who need to see it.  If its not answering the PCI scan, they can't very well worry about it.

 

Sometimes the easy solution is to be invisible.

 

Dave

PCI scans do some good but to me they are just another of those silly hoops to jump through. For instance, passwords are the weakest link in security. PCI scans don't know password security settings nor how good existing passwords are. That's the start of the insanity.

A solution is this. If you have more than one system with Webmin running... perhaps one system that is more for internal use, you can set that one to connect to the system(s) which needs to pass the scan and connect from there. This is a bit better solution as you can connect from any outside network. For instance if you are on the road and need to access the protected system.

John Hinton

 

 

 

From: Fajar Priyanto [mailto:fajarpri@arinet.org]
Sent: Friday, January 04, 2013 11:24 PM
To: Webmin users list
Subject: Re: [webmin-l] Nessus says I'm vulnerable (SSL/TLS compression enabled)

 

It says in the mean time it's good to disable SSL compression in the webserver.

How can I do that with webmin webserver?

http://arstechnica.com/security/2012/09/many-ways-to-break-ssl-with-crime-attacks-experts-warn/

 

On Sat, Jan 5, 2013 at 2:49 PM, Fajar Priyanto <fajarpri@arinet.org> wrote:

Hi Jamie,

Sorry took some time for me to upgrade it. It's on 1.610 now, also I've set it to  "Use only PCI-compliant ciphers". But same result from the Nessus scan.

No workaround from Google so far :(

 

On Fri, Dec 21, 2012 at 12:09 PM, Jamie Cameron <jcameron@webmin.com> wrote:

You might want to try upgrading to Webmin 1.610. Also, at Webmin -> Webmin Configuration -> SSL Encryption, try selecting "Use only PCI-compliant ciphers"

  - Jamie

On 20/Dec/2012 17:27 Fajar Priyanto <fajarpri@arinet.org> wrote ..

Hi all,

Nessus says my Webmin 1.580 is vulnerable of CRIME attack because of TLS/SSL compression is enabled. How do I remedy it? I cannot see any options for this in configuration menu.

From Google looks like I can use SSLCompression off in httpd.conf?

 

 

This is the Nessus scan result:

TLS CRIME Vulnerability


Synopsis :

The remote service has a configuration that may make it vulnerable to
the CRIME attack.

Description :

The remote service has one of two configurations that are known to be
required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See also :

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.nessus.org/u?a1e45597

Solution :

Disable compression and / or the SPDY service.

Plugin Output :

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.

CVE :
CVE-2012-4929
CVE-2012-4930

BID :
BID 55704
BID 55707

Other References :
OSVDB:85926
OSVDB:85927

Nessus Plugin ID : 62565

 


Thank you.

--
To dream and to write ^^
http://mars.arinet.org

 

 

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list



 

--
To dream and to write ^^
http://mars.arinet.org



 

--
To dream and to write ^^
http://mars.arinet.org



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912


-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list


-- 
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions