Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2999 Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183) 16 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Communications Server for AIX Publisher: IBM Operating System: AIX Linux variants Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2183 Reference: ASB-2016.0095 ESB-2016.2990 ESB-2016.2949 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21995057 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183) Security Bulletin Document information More support for: Communications Server for Data Center Deployment Software version: 7.0.0.0 Operating system(s): AIX, Linux Software edition: All Editions Reference #: 1995057 Modified date: 15 December 2016 Summary Sweet32 exposes a problem in the Triple DES algothorim for sessions that receive more than 2 GBytes of data on an encrypted session. Once beyond that amount of data, the algorithm allows for a intrusion that can be more easily decrypted. Vulnerability Details CVEID: CVE-2016-2183 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions This problem affects the following distributed Communications Server products: 5725H32 - Communications Server for Data Center Deployment, V7.0 5765E51 - Communications Server for AIX, V6.4 5724I33 - Communications Server for Linux, V6.4 5724I34 - Communications Server for Linux on System z, V6.4 5639F25 - Communications Server for Windows, V6.4, V6.1.3 Remediation/Fixes The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. Visit Fix Central to find these APARs (under Other Software brand). Product ID Product name - ------------- -------------------- 5725H32 Communications Server for Data Center Deployment 7.0 - - apply APAR IV07799 for AIX platforms - - - Package on Fix Central: OS-GSKIT8-70-SWEET32-7003-AIX-UPDATE - - apply APAR LI79293 for Linux platforms - - - Package on Fix Central: OS-GSKIT8-70-SWEET32-7003-I686-LINUX OS-GSKIT8-70-SWEET32-7003-PPC64-LINUX OS-GSKIT8-70-SWEET32-7003-S390X-LINUX OS-GSKIT8-70-SWEET32-7003-X86_64-LINUX 5765E51 Communications Server for AIX V6.4 - - - apply APAR IV91306 for level 6.4.0.7 on AIX platform - - - Package on Fix Central: OS-GSKIT8-70-SWEET32-6407-AIX-UPDATE 5724I33 Communications Server for Linux V6.4 - - - apply APAR LI79296 for level 6.4.0.7 on Linux platform - - - Packages on Fix Central: OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX OS-GSKIT8-70-SWEET32-6407-PPC64-LINUX OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX 5724I34 Communications Server for Linux on System z V6.4 - - - apply APAR LI79299 for level 6.4.0.7 on Linux platform - - - Package on Fix Central: OS-GSKIT8-70-SWEET32-6407-S390X-LINUX 5639F25 Communications Server for Windows V6.4 , V6.1.3 - - apply APAR JR57102 for level 6.4.0.7 on Windows plaform - - - Package on Fix Central: OS-GSKIT8-70-SWEET32-6407-WINDOWS-UPDATE - - apply APAR JR57103 for level 6.1.3.5 on Windows plaform - - - Package on Fix Central: OS-GSKIT7-5-9-SWEET32-6135-WINDOWS-UPDATE For previous versions of Communications Server for AIX, V6.3, we recommend you upgrade to Communications Server for Data Center Deployment, V7. For previous versions of Communications Server for Linux, V6.2, we recommend you upgrade to Communications Server for Data Center Deployment, V7. For previous versions of Communications Server for Linux on System z, V6.2, we recommend you upgrade to Communications Server for Data Center Deployment, V7. For previous versions of Communications Server for Windows, V6.1.2, we recommend you upgrade to Communications Server for Windows, V6.4. Once this fix is applied, if the secure socket connection supporting the TN3270 session receives more than 2 GBytes, the session will be disconnected with an error code: Example: On a CS Linux server, there error message will look like this: O/S send call failed with error code 0x01bd. Where the 0x01bd is a hex 445, which is GSK error: GSK_ERROR_BYTECOUNT_EXHAUSTED Workarounds and Mitigations For Communications Server for Data Center Deployment, V7, Communications Server for AIX, V6.4, Communications Server for Linux V6.4, Communications Server for Linux on System z, V6.4, Communications Server for Windows, V6.4, and Communications Server for Windows, V6.1.3 you can mitigate this vulnerability by limiting the amount of data on a TN3270 SSL session to no more than 2 GBytes. TN3270 sessions normally do not stay active long enough have this amount of data received on a socket session. If a secure session could be active for months at a time or the session is used to do file transfers, then upgrade the product with this APAR fix. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWFN3pIx+lLeg9Ub1AQifjRAAiARZaVASAE0osQTJLStmX+H3CI9kD0DH MqGdTa5S80ns5nSN+iT01F1PKJSkG9HDB2OWGs33aZSzaRHUMZh9oQ85VFmf6kCX GmY03OKPLGbF8ZM7xPKBMq2t+VmvJQT6N5YQ7bRO8rzydyy9K7JNn9ANBhuRdLwP HkvA7RmXotlW7DM4zx81nXHFUbl23JERiTCgX88eWg8p/38eKI+xr8ZtP7rE7mvm X4zU6AEDv6YEiyjJC7YPtbv3TG7T7jsF9FpfQz+AczrPgzuPCDQh/01Zisrtr3YN UVjWeGubXvFyXp8VbcS3nh7MtLSi4BBI3RvB73f6DYrcmPdJZXYPZwV6/6RBDjPN iPXtqyl0abkal8RL1iiBqrWBXRGNZ1QRn65qYfoZ5PXbPoatCynuxIE/IPCCzFJm HYirXxWPe+X4sHQYlcudPfFtfeq9NlapfRIiLeGPvdfEbzO98OY3EaEcoegjKNXV MGeEAcLQLsqJCgJCuyW/o7+b+716KDYxeb7gjACwv9dJRv/P0nrGtfUfDOHja5rj SZ1Al2iAOsCeB2TWFycJLePmc1z2u0FM9r5Y5oNodQif06b8WMESu3Ic3MHlQpOr af8EWS19jeQxofQ0IDXKuzZHGaFp/iLQVF21/HQtKp/L3LPzYXq/w+6hz7YYvjWA FLNfWkMY1IM= =Fe1Q -----END PGP SIGNATURE-----