Security Bulletin: Vulnerability in RC4 stream cipher affects Multiple N-series Products (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects Multiple N-series Products

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.

CVSS Base Score: 5

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

7-Mode Data ONTAP 8.1.x and 8.2.x;

Clustered Data ONTAP 8.2.x;

NS OnCommand Core Package: 5.2, 5.2R1, 5.2P1, 5.2P2;

NS OnCommand Unified Manager for DataONTAP: 6.1R1;

Remediation/Fixes

None

Workarounds and Mitigations

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

For 7-Mode Data ONTAP 8.2.3 and above (below 8.3)

A new option “options rc4.enable” allows you to enable or disable the RC4 encryption algorithm that is used in the TLS and SSL protocols over HTTPS and FTPS connections. The option defaults to “on”. To disable the RC4 cipher type ：

“options rc4.enable off”.

For Clustered Data ONTAP 8.2.2 RC1 and above (below 8.3)

You can enable the OpenSSL FIPS 140-2 compliance mode to disable RC4 ciphers by executing the following command at the admin privilege level in the clustershell:

“system services web modify -ssl-fips-enable true”

Above workarounds are supported only in Data ONTAP 8.2.3 and above for 7-Mode and Data ONTAP 8.2.2 RC1 and above for Clustered-Mode. For customers who use 7-Mode Data ONTAP 8.1.x and 8.2.x (below 8.2.3), IBM urges an upgrading to 7-Mode Data ONTAP 8.2.3 and above (below 8.3) to implement the corresponding workaround. For customers who use Clustered Data ONTAP 8.1.x and 8.2.x (below 8.2.2RC1), IBM urges an upgrading to Clustered Data ONTAP 8.2.2 RC1 and above (below 8.3) to implement the corresponding workaround. Contact IBM support or go to this link to download a supported release.

For customers who are using NS OnCommand Core Package or NS OnCommand Unified Manager for DataONTAP, please contact IBM support.