CVE-2012-4929 in Chrome
Summary
by MITRE
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/13/2021
The vulnerability described in CVE-2012-4929 represents a critical security flaw in the Transport Layer Security protocol implementation across multiple widely-used software products including Mozilla Firefox, Google Chrome, and Qt frameworks. This weakness specifically affects TLS protocol versions 1.2 and earlier, exposing systems to sophisticated man-in-the-middle attacks that exploit the protocol's handling of compressed data. The fundamental issue lies in how these implementations encrypt compressed content while failing to adequately obfuscate the length characteristics of the original uncompressed data, creating a significant information disclosure risk.
The technical flaw manifests when compression is applied to HTTP headers and other sensitive data within TLS sessions. When data compression occurs before encryption, the attacker can observe the encrypted payload lengths and correlate them with known plaintext patterns. This creates a side-channel attack vector where an adversary can make educated guesses about the content of HTTP headers by measuring the differences in encrypted message lengths. The attack operates on the principle that compressed data of similar content will produce encrypted payloads of similar size, allowing attackers to deduce the actual header values through statistical analysis and iterative guessing techniques.
This vulnerability has severe operational implications for web security infrastructure and user privacy. The CRIME attack enables attackers to extract sensitive information from HTTP headers including authentication tokens, session identifiers, and other confidential data without requiring direct decryption of the encrypted traffic. The attack is particularly dangerous because it can be executed over standard man-in-the-middle positions such as public wifi networks, compromised routers, or malicious proxies, making it accessible to a broad range of threat actors. Organizations using affected software implementations face potential data breaches, session hijacking, and credential theft that could compromise user accounts and sensitive business information.
Security mitigations for this vulnerability involve disabling HTTP compression in TLS sessions, which prevents the attack by eliminating the predictable length variations that attackers exploit. Modern implementations have addressed this issue by implementing proper obfuscation techniques and by updating TLS protocol handling to prevent compression of sensitive data within encrypted contexts. The vulnerability aligns with CWE-310, which categorizes weaknesses related to cryptographic issues, and maps to ATT&CK technique T1041 where adversaries use data compression to avoid detection while maintaining access to network traffic. Organizations should implement comprehensive security updates, disable compression in TLS configurations, and conduct regular vulnerability assessments to ensure their systems remain protected against such side-channel attacks that exploit protocol implementation weaknesses rather than cryptographic algorithm flaws.