Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2999
Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher
affects Communications Server for Data Center Deployment, Communications
Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183)
16 December 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Communications Server for AIX
Publisher: IBM
Operating System: AIX
Linux variants
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2183
Reference: ASB-2016.0095
ESB-2016.2990
ESB-2016.2949
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21995057
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher
affects Communications Server for Data Center Deployment, Communications
Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183)
Security Bulletin
Document information
More support for:
Communications Server for Data Center Deployment
Software version:
7.0.0.0
Operating system(s):
AIX, Linux
Software edition:
All Editions
Reference #:
1995057
Modified date:
15 December 2016
Summary
Sweet32 exposes a problem in the Triple DES algothorim for sessions that
receive more than 2 GBytes of data on an encrypted session. Once beyond that
amount of data, the algorithm allows for a intrusion that can be more easily
decrypted.
Vulnerability Details
CVEID:
CVE-2016-2183
DESCRIPTION:
OpenSSL could allow a remote attacker to obtain sensitive information, caused
by an error in the in the Triple-DES on 64-bit block cipher, used as a part of
the SSL/TLS protocol. By capturing large amounts of encrypted traffic between
the SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is known
as the SWEET32 Birthday attack.
CVSS Base Score:
3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current
score
CVSS Environmental Score*:
Undefined
CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
This problem affects the following distributed Communications Server products:
5725H32 - Communications Server for Data Center Deployment, V7.0
5765E51 - Communications Server for AIX, V6.4
5724I33 - Communications Server for Linux, V6.4
5724I34 - Communications Server for Linux on System z, V6.4
5639F25 - Communications Server for Windows, V6.4, V6.1.3
Remediation/Fixes
The recommended solution is to apply the Fix Pack or PTF for each named
product as soon as practical. Visit Fix Central to find these APARs (under
Other Software brand).
Product ID Product name
- ------------- --------------------
5725H32 Communications Server for Data Center Deployment 7.0
- - apply APAR IV07799 for AIX platforms
- - - Package on Fix Central:
OS-GSKIT8-70-SWEET32-7003-AIX-UPDATE
- - apply APAR LI79293 for Linux platforms
- - - Package on Fix Central:
OS-GSKIT8-70-SWEET32-7003-I686-LINUX
OS-GSKIT8-70-SWEET32-7003-PPC64-LINUX
OS-GSKIT8-70-SWEET32-7003-S390X-LINUX
OS-GSKIT8-70-SWEET32-7003-X86_64-LINUX
5765E51 Communications Server for AIX V6.4
- - - apply APAR IV91306 for level 6.4.0.7 on AIX platform
- - - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-AIX-UPDATE
5724I33 Communications Server for Linux V6.4
- - - apply APAR LI79296 for level 6.4.0.7 on Linux platform
- - - Packages on Fix Central:
OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX
OS-GSKIT8-70-SWEET32-6407-PPC64-LINUX
OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX
5724I34 Communications Server for Linux on System z V6.4
- - - apply APAR LI79299 for level 6.4.0.7 on Linux platform
- - - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-S390X-LINUX
5639F25 Communications Server for Windows V6.4 , V6.1.3
- - apply APAR JR57102 for level 6.4.0.7 on Windows plaform
- - - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-WINDOWS-UPDATE
- - apply APAR JR57103 for level 6.1.3.5 on Windows plaform
- - - Package on Fix Central:
OS-GSKIT7-5-9-SWEET32-6135-WINDOWS-UPDATE
For previous versions of Communications Server for AIX, V6.3, we recommend you
upgrade to Communications Server for Data Center Deployment, V7.
For previous versions of Communications Server for Linux, V6.2, we recommend
you upgrade to Communications Server for Data Center Deployment, V7.
For previous versions of Communications Server for Linux on System z, V6.2, we
recommend you upgrade to Communications Server for Data Center Deployment, V7.
For previous versions of Communications Server for Windows, V6.1.2, we
recommend you upgrade to Communications Server for Windows, V6.4.
Once this fix is applied, if the secure socket connection supporting the
TN3270 session receives more than 2 GBytes, the session will be disconnected
with an error code:
Example: On a CS Linux server, there error message will look like this:
O/S send call failed with error code 0x01bd.
Where the 0x01bd is a hex 445, which is GSK error:
GSK_ERROR_BYTECOUNT_EXHAUSTED
Workarounds and Mitigations
For Communications Server for Data Center Deployment, V7, Communications
Server for AIX, V6.4, Communications Server for Linux V6.4, Communications
Server for Linux on System z, V6.4, Communications Server for Windows, V6.4,
and Communications Server for Windows, V6.1.3 you can mitigate this
vulnerability by limiting the amount of data on a TN3270 SSL session to no
more than 2 GBytes. TN3270 sessions normally do not stay active long enough
have this amount of data received on a socket session. If a secure session
could be active for months at a time or the session is used to do file
transfers, then upgrade the product with this APAR fix.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWFN3pIx+lLeg9Ub1AQifjRAAiARZaVASAE0osQTJLStmX+H3CI9kD0DH
MqGdTa5S80ns5nSN+iT01F1PKJSkG9HDB2OWGs33aZSzaRHUMZh9oQ85VFmf6kCX
GmY03OKPLGbF8ZM7xPKBMq2t+VmvJQT6N5YQ7bRO8rzydyy9K7JNn9ANBhuRdLwP
HkvA7RmXotlW7DM4zx81nXHFUbl23JERiTCgX88eWg8p/38eKI+xr8ZtP7rE7mvm
X4zU6AEDv6YEiyjJC7YPtbv3TG7T7jsF9FpfQz+AczrPgzuPCDQh/01Zisrtr3YN
UVjWeGubXvFyXp8VbcS3nh7MtLSi4BBI3RvB73f6DYrcmPdJZXYPZwV6/6RBDjPN
iPXtqyl0abkal8RL1iiBqrWBXRGNZ1QRn65qYfoZ5PXbPoatCynuxIE/IPCCzFJm
HYirXxWPe+X4sHQYlcudPfFtfeq9NlapfRIiLeGPvdfEbzO98OY3EaEcoegjKNXV
MGeEAcLQLsqJCgJCuyW/o7+b+716KDYxeb7gjACwv9dJRv/P0nrGtfUfDOHja5rj
SZ1Al2iAOsCeB2TWFycJLePmc1z2u0FM9r5Y5oNodQif06b8WMESu3Ic3MHlQpOr
af8EWS19jeQxofQ0IDXKuzZHGaFp/iLQVF21/HQtKp/L3LPzYXq/w+6hz7YYvjWA
FLNfWkMY1IM=
=Fe1Q
-----END PGP SIGNATURE-----