Security Bulletin: Vulnerability in GSKit affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-2183)

Summary

An OpenSSL vulnerability disclosed by the OpenSSL Project affects GSKit. IBM Sterling Connect:Direct for Microsoft Windows uses GSKit and therefore is also vulnerable. This vulnerability is known as the SWEET32 Birthday attack.

Vulnerability Details

CVEID: CVE-2016-2183**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.4_iFix027

Remediation/Fixes

IBM recommends that you review your entire environment to identify areas that enable DES/3DES cipher suites and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling DES/3DES cipher suites. You should verify disabling DES/3DES cipher suites does not cause any compatibility issues.

Apply and enable the following fix when you cannot disable DES/3DES cipher suites in your environment.

The fix adds the ability to engage a GSKit remediation for this vulnerability via a system environment variable named CD_GSK_OPTIONS. To enable the remediation, set the value of this system environment variable to GSK_ENFORCE_TDEA_RESTRICTION. Than cycle (stop and restart) Sterling Connect:Direct.
Caution: The effect of this remediation is to arbitrarily break a session after 32 GB of data have been transmitted.

In addition to the GSKit remediation, CD Secure+ Admin Tool (SPAdmin) and CD Secure+ CLI (SPCli) have been enhanced to display warnings when deprecated cipher suites or protocols have been configured, which includes all cipher suites using an RC4, DES/3DES or no encryption algorithm and the SSLv3 protocol at this time.
Note: Deprecated cipher suites and protocols may be disabled in a future update.

Workarounds and Mitigations

Disable DES/3DES cipher suites.