Security Bulletin: Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem 840 and V840 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568)

Summary

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols which is used by IBM FlashSystem 840 and V840 systems. OpenSSL had a vulnerability which allowed forceful downgrade of the communication to SSL 3.0, which is vulnerable to the padding oracle attack, when using block cipher suites in cipher block chaining (CBC) mode. This attack on SSL 3.0’s CBC mode is also known under the alias POODLE. SSL 3.0 itself is no longer being updated, thus it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication.

Vulnerability Details

1. CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL DTLS SRTP denial of service. OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/97035 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

2. CVE-ID: CVE-2014-3566 DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

3. CVE-ID: CVE-2014-3567 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server in a Denial of Service attack.
CVSS Base Score: 5.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/97036 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

4. CVE-ID: CVE-2014-3568 DESCRIPTION: OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/97037 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM FlashSystem 840:
Machine Type 9840, model -AE1 (all supported releases before 1.1.3.2)
Machine Type 9843, model -AE1 (all supported releases before 1.1.3.2)

IBM FlashSystem V840:
Machine Type 9846, model -AE1 (all supported releases before 1.1.3.2)
Machine Type 9848, model -AE1 (all supported releases before 1.1.3.2)
Machine Type 9846, models -AC0, & -AC1 (all supported releases before 7.3.0.8)
Machine Type 9848, models -AC0, & -AC1 (all supported releases before 7.3.0.8)

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM FlashSystem 840 and V840 systems to the following code level or higher:

for 840 & V840 machine types 9840, 9846, & 9848, –AE1 models: 1.1.3.2
for V840 machine types 9846 & 9848, –AC0 & -AC1 models: 7.3.0.8

In addition, IBM recommends that you review your entire environment to identify vulnerable releases of OpenSSL in other (e.g. non-IBM products and versions) including in your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.

Workarounds and Mitigations

None known