Lucene search

K
ibmIBM26CE7C1AAFA750AEA550E154567083BB107029164FBC8A538FD7AE568423A32C
HistoryJul 24, 2020 - 10:19 p.m.

Security Bulletin: Vulnerability in GSKit affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-2183)

2020-07-2422:19:08
www.ibm.com
30

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

77.1%

Summary

An OpenSSL vulnerability disclosed by the OpenSSL Project affects GSKit. IBM Sterling Connect:Direct for Microsoft Windows uses GSKit and therefore is also vulnerable. This vulnerability is known as the SWEET32 Birthday attack.

Vulnerability Details

CVEID: CVE-2016-2183**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.4_iFix027

Remediation/Fixes

IBM recommends that you review your entire environment to identify areas that enable DES/3DES cipher suites and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling DES/3DES cipher suites. You should verify disabling DES/3DES cipher suites does not cause any compatibility issues.

Apply and enable the following fix when you cannot disable DES/3DES cipher suites in your environment.

Product VRMF APAR Remediation/First Fix
IBM Sterling Connect:Direct for Microsoft Windows 4.7.0 IT19772 Apply 4.7.0.5, available on Fix Central

The fix adds the ability to engage a GSKit remediation for this vulnerability via a system environment variable named CD_GSK_OPTIONS. To enable the remediation, set the value of this system environment variable to GSK_ENFORCE_TDEA_RESTRICTION. Than cycle (stop and restart) Sterling Connect:Direct.
Caution: The effect of this remediation is to arbitrarily break a session after 32 GB of data have been transmitted.

In addition to the GSKit remediation, CD Secure+ Admin Tool (SPAdmin) and CD Secure+ CLI (SPCli) have been enhanced to display warnings when deprecated cipher suites or protocols have been configured, which includes all cipher suites using an RC4, DES/3DES or no encryption algorithm and the SSLv3 protocol at this time.
Note: Deprecated cipher suites and protocols may be disabled in a future update.

Workarounds and Mitigations

Disable DES/3DES cipher suites.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

77.1%