[Japanese]

JVNDB-2016-000129

Android OS issue where it is affected by the CRIME attack

Overview

The implementation of the TLS protocol in Android OS contains a vulnerability where plaintext HTTP headers may be obtained.

The TLS protocol contains a function that compresses data for communications between the client and server. This function does not properly obfuscate the length of the unencrypted data. When this function is enabled on both the client and server, it results in a vulnerability where plaintext HTTP headers may be obtained. The TLS implementation in Android OS is affected by this vulnerability.
Exploiting this vulnerability to obtain plaintext HTTP headers is referred to as the CRIME attack.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.7 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Google
  • Android OS versions 4.1.2 and earlier

Impact

A man-in-the-middle attacker performing the CRIME attack may obtain plaintext HTTP headers.
Solution

[Apply an update]
Apply the update according to the information provided by the provider or developer.
Vendor Information

Google KDDI SoftBank Disney Mobile on SoftBank Ymobile Corporation
CWE (What is CWE?)

  1. Cryptographic Issues(CWE-310) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-4929
References

  1. JVN : JVN#65273415
  2. National Vulnerability Database (NVD) : CVE-2012-4929
Revision History

  • [2016/07/25]
      Web page was published

Date Public2016/07/22
Date First Published2016/07/25
Date Last Updated2016/07/25