Lucene search

K
ibmIBM30B85D27D79A842AC5411CD24C5A6C453FC07F21C5E9546CCCC6B99631AFCD79
HistoryFeb 18, 2023 - 1:45 a.m.

Security Bulletin: The IBM FlashSystem 840 product is affected by a vulnerability in OpenSSL (CVE-2014-0224 = SSL/TLS MITM vulnerability)

2023-02-1801:45:50
www.ibm.com
15

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.9%

Summary

Security vulnerability has been discovered in OpenSSL

Vulnerability Details

**CVE-ID:**CVE-2014-0224

**DESCRIPTION:**FlashSystem 840 uses OpenSSL to protect connection from external management applications which use SMI-S to its CIM client.

Affected versions of OpenSSL do not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, a.k.a. the “CCS Injection” vulnerability.

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and a vulnerable server. However, as of when this CVE was posted, all OpenSSL clients were vulnerable (i.e. in all versions of OpenSSL). And in code levels before 1.1.2.0, the FlashSystem 840 has a vulnerable OpenSSL server.

CVSS v2 Base Score: 6.8
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/93586&gt;
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:P)

Affected Products and Versions

_FlashSystem 840 including machine type models (all available code levels) _
9840-AE1 & 9843-AE1

Remediation/Fixes

Products

| VRMF| APAR| Remediation/First Fix
—|—|—|—
9840-AE1,
9843-AE1,| A code fix is now available, the VRMF of this code level is 1.1.2.2| N/A| _The recommended remediation is to apply this code fix for this OpenSSL vulnerability. _

Workarounds and Mitigations

A user could potentially restrict his network so that there is no opportunity for an attacker to insert himself as man-in-the-middle.

CPENameOperatorVersion
ibm flashsystem 900eqany

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.9%

Related for 30B85D27D79A842AC5411CD24C5A6C453FC07F21C5E9546CCCC6B99631AFCD79