debian-mirror-gitlab/doc/security/crime_vulnerability.md

76 lines
3.5 KiB
Markdown
Raw Normal View History

2019-09-04 21:01:54 +05:30
---
2021-11-18 22:05:49 +05:30
stage: Manage
2022-04-04 11:22:00 +05:30
group: Authentication and Authorization
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2019-09-04 21:01:54 +05:30
type: reference
---
2021-09-04 01:27:46 +05:30
# How we manage the TLS protocol CRIME vulnerability **(FREE SELF)**
2020-04-22 19:07:51 +05:30
[CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806) is a security exploit against
secret web cookies over connections using the HTTPS and SPDY protocols that also
use data compression. When used to recover the content of secret
authentication cookies, it allows an attacker to perform session hijacking on an
authenticated web session, allowing the launching of further attacks.
2019-09-04 21:01:54 +05:30
## Description
2019-09-04 21:01:54 +05:30
The TLS Protocol CRIME Vulnerability affects systems that use data compression
over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use
2020-05-24 23:13:21 +05:30
SSL Compression (for example, Gzip) or SPDY (which optionally uses compression).
2022-07-23 23:45:48 +05:30
GitLab supports both Gzip and [SPDY](https://nginx.org/en/docs/http/ngx_http_spdy_module.html) and mitigates the CRIME
2020-05-24 23:13:21 +05:30
vulnerability by deactivating Gzip when HTTPS is enabled. The sources of the
2019-09-04 21:01:54 +05:30
files are here:
2021-09-04 01:27:46 +05:30
- [Source installation NGINX file](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/support/nginx/gitlab-ssl)
2020-05-24 23:13:21 +05:30
- [Omnibus installation NGINX file](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
Although SPDY is enabled in Omnibus installations, CRIME relies on compression
2023-04-23 21:23:45 +05:30
(the 'C') and the default compression level in the NGINX SPDY module is 0
(no compression).
2019-09-04 21:01:54 +05:30
## Nessus
2022-08-27 11:52:29 +05:30
The Nessus scanner, [reports a possible CRIME vulnerability](https://www.tenable.com/plugins/nessus/62565) in GitLab
similar to the following format:
2020-04-08 14:13:33 +05:30
```plaintext
Description
This remote service has one of two configurations that are known to be required for the CRIME attack:
SSL/TLS compression is enabled.
TLS advertises the SPDY protocol earlier than version 4.
...
Output
The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
SPDY support earlier than version 4 is advertised.
```
2023-04-23 21:23:45 +05:30
The report above indicates that Nessus is only checking if
2019-09-04 21:01:54 +05:30
TLS advertises the SPDY protocol earlier than version 4. It does not perform an
attack nor does it check if compression is enabled. The Nessus scanner alone
2023-03-04 22:38:38 +05:30
cannot tell that SPDY compression is disabled and not subject to the CRIME
vulnerability.
2019-09-04 21:01:54 +05:30
## References
2022-07-23 23:45:48 +05:30
- NGINX ["Module `ngx_http_spdy_module`"](https://nginx.org/en/docs/http/ngx_http_spdy_module.html)
2022-08-27 11:52:29 +05:30
- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"](https://www.tenable.com/plugins/nessus/62565)
2020-05-24 23:13:21 +05:30
- Wikipedia contributors, ["CRIME"](https://en.wikipedia.org/wiki/CRIME) Wikipedia, The Free Encyclopedia
2019-09-04 21:01:54 +05:30
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
2023-01-13 00:05:48 +05:30
Each scenario can be a third-level heading, for example `### Getting error message X`.
2019-09-04 21:01:54 +05:30
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->